Contributor

Technical Tip: How to configure DNS conditional forwarding on the FortiGate

Forum|Forum|9 years ago
April 28, 2017
0 replies
127961 views

Description

This article describes how to set up a FortiGate as a DNS Conditional Forwarder.

Solution

When the FortiGate is configured to act as a DNS server for the local network, the default behavior is for it to resolve DNS queries for unknown domains using the system DNS servers configured on the FortiGate. However, administrators may have separate dedicated DNS servers that are authoritative for the internal/private domains used for business applications (such as Active Directory). For cases like this, the FortiGate can be configured to forward queries for specific FQDNs/domains to different DNS servers using the conditional forwarding feature.

Configuring DNS conditional forwarding:

First, check the FortiGate's system DNS settings under Network -> DNS (config system dns in the CLI). The FortiGate will query these servers for any domains that are not locally configured, both for its own local-out traffic and also for queries from downstream DNS clients.

This section is frequently set to Internet-based DNS servers, but internal DNS servers may be set here as long as those servers are able to reach the Internet for global DNS resolution. Note that for VDOM-enabled FortiGates, this setting is found in the Global VDOM:

GUI:

GUI Network - DNS.png

CLI:

config system dns

set primary 8.8.8.8

set secondary 1.1.1.1

end

If not already done, navigate to System -> Feature Visibility and toggle-on the DNS Database feature, followed by selecting the Apply button to commit the change. This allows administrators to manage the DNS database/server functionality from the web GUI. Note that for VDOM-enabled FortiGates, this change (and the rest of the configuration discussed in this article) occurs within the non-Global VDOMs (such as the root VDOM).

Next, navigate to Network -> DNS Servers and select the Create New button under DNS Service on Interface. Add the FortiGate interface that should accept DNS queries from clients (such as the port4 interface), set the Mode to Recursive, then select OK to commit the change.

GUI:

CLI:

config system dns-server

edit "port4"

set mode recursive <--- Recursive is the default mode and will not appear with a show command.

Navigate back to Network -> DNS Servers and select Create New under DNS Database. Fill in the following required information and select OK to add the new DNS database entry:

DNS Zone: The name of the entry on the FortiGate (can be the same as the Domain Name, but does not need to be).
Domain Name: The domain that will be conditionally forwarded by the FortiGate.
- This may be set to a domain in general (such as the example 'iba.local' used in this article), or it may be set to an FQDN/sub-domain for more narrow matching ('dc1.iba.local' would only match queries for that specific FQDN/sub-domain).
- For example, queries for 'dc1.iba.local' will match DNS database entries for 'iba.local' and 'dc1.iba.local', but queries for 'web.iba.local' will only match 'iba.local'.
Authoritative: Toggle off/disabled. If enabled, the FortiGate will only resolve the domain locally and will not query the DNS forwarders.
DNS Forwarder: DNS servers that the FortiGate will query for requests that match the Domain Name specified above.
Two servers may be set in the GUI, but more may be added via the CLI in a space-delimited list. See the note at the bottom of the article for an explanation of how the FortiGate queries multiple conditional forwarders.

Note: Local DNS entries can be added here safely as a local DNS override. If the FortiGate receives a query for an FQDN that is not configured locally, then it will query the DNS forwarder servers as long as the Authoritative toggle is disabled (otherwise it will reply to the client with an NXDOMAIN response).

GUI:

CLI:

config system dns-database

edit "iba.local"

set domain "iba.local"
set authoritative disable
set forwarder "172.16.190.216" <--- More entries can be added here (<dns_server2> <dns_server3>, etc.).

Note: FortiOS 7.2 and 7.4 do not offer the ability to specify the outgoing interface.

Only FortiOS 7.6 and higher support specifying the outgoing interface. The outgoing interface may be specified manually or FortiOS can follow the SD-WAN rules.

CLI :

config system dns-database

edit "iba.local"

set domain "iba.local"
set authoritative disable
set forwarder "172.16.190.216" <--- More entries can be added here (<dns_server2> <dns_server3>, etc.).

set interface-select-method [auto|sdwan|specify]

set interface interface_name <---- if interface-select-method specify

With the above configuration, the FortiGate can now receive queries on the configured interface (e.g., port4) and will behave as follows:

Clients that can reach the port4 interface (172.16.191.1 in the above example) can send DNS queries to the FortiGate.
The FortiGate will receive the DNS query and will have different behavior depending on the requested domain:
1. If the DNS query matches a locally-configured domain, then the FortiGate will forward the query to the DNS forwarder address (e.g., 172.16.190.216).
2. If the DNS query is for a non-matched DNS domain, then the FortiGate will query the system DNS servers instead.

Note: if the DNS forwarder is accessed over a VPN tunnel, then it may be necessary to specify the source IP that the FortiGate uses to reach the DNS server. See also: .

To set this on a per-DNS zone basis, set 'source-ip' under 'config system dns-database':

config system dns-database

edit "iba.local"

set source-ip <IP_Address_on_FortiGate>

Verifying the configuration:

The DNS forwarding can be verified by running the following packet sniffer commands on the FortiGate.

In the following example output, DNS client 172.16.191.210 sends a query to FortiGate (172.16.191.1) for dc1.iba.local. The FortiGate then makes a separate DNS query to the local DNS server 172.16.191.1 to resolve the FQDN, then takes that response and sends its own response back to the DNS client:

FortiGate # diagnose sniffer packet any '(port 53 and host 172.16.191.210) or (port 53 and host 172.16.190.216)' 6 0 l

interfaces=[any]

filters=[(port 53 and host 172.16.191.210) or (port 53 and host 172.16.190.216)]
2019-09-09 14:59:39.712277 port4 in 172.16.191.210.54337 -> 172.16.191.1.53: udp 31
0x0000   0000 0000 0001 0050 5004 6802 0800 4500        .......PP.h...E.
0x0010   003b 21e2 0000 8011 41db ac10 bfd2 ac10        .;!.....A.......
0x0020   bf01 d441 0035 0027 8d38 215f 0100 0001        ...A.5.'.8!_....
0x0030   0000 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01                         ocal.....

2019-09-09 14:59:39.712577 port3 out 172.16.190.1.1717 -> 172.16.190.216.53: udp 31
0x0000   0000 0000 0000 0050 5013 6303 0800 4500        .......PP.c...E.
0x0010   003b 5c55 4000 4011 0962 ac10 be01 ac10        .;\U@.@..b......
0x0020   bed8 06b5 0035 0027 5cbf 215f 0100 0001        .....5.'\.!_....
0x0030   0000 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01                         ocal.....

2019-09-09 14:59:39.713159 port3 in 172.16.190.216.53 -> 172.16.190.1.1717: udp 47
0x0000   0000 0000 0001 0050 5010 6801 0800 4500        .......PP.h...E.
0x0010   004b 1adb 0000 8011 4acc ac10 bed8 ac10        .K......J.......
0x0020   be01 0035 06b5 0037 cbe4 215f 8580 0001        ...5...7..!_....
0x0030   0001 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01c0 0c00 0100 0100        ocal............
0x0050   000e 1000 04ac 10be d8                         .........

2019-09-09 14:59:39.713232 port4 out 172.16.191.1.53 -> 172.16.191.210.54337: udp 47
0x0000   0000 0000 0000 0050 5013 6304 0800 4500        .......PP.c...E.
0x0010   004b 5c55 4000 4011 0758 ac10 bf01 ac10        .K\U@.@..X......
0x0020   bfd2 0035 d441 0037 fc5d 215f 8580 0001        ...5.A.7.]!_....
0x0030   0001 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01c0 0c00 0100 0100        ocal............
0x0050   000e 1000 04ac 10be d8                         .........

In the next output sample, the DNS client queries for FQDNs that do not match the FortiGate's local DNS database entries. As such, the FortiGate queries the system DNS to resolve them:

diagnose sniffer packet any 'udp and port 53' 6 0 l

2019-09-09 15:10:09.131101 port4 in 172.16.191.210.62976 -> 172.16.191.1.53: udp 28

0x0000 0000 0000 0001 0050 5004 6802 0800 4500 .......PP.h...E.

0x0010 0038 1baf 0000 8011 4811 ac10 bfd2 ac10 .8......H.......

0x0020 bf01 f600 0035 0024 1258 74ed 0100 0001 .....5.$.Xt.....

0x0030 0000 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k

0x0040 7a00 0001 0001 z.....

2019-09-09 15:10:09.131373 port1 out 10.109.19.83.4128 -> 1.1.1.1.53: udp 28

0x0000 0000 0000 0000 0050 5013 6301 0800 4500 .......PP.c...E.

0x0010 0038 3ee5 4000 4011 dc0e 0a6d 1353 0101 .8>.@.@....m.S..

0x0020 0101 1020 0035 0024 af6c 74ed 0100 0001 .....5.$.lt.....

0x0030 0000 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k

0x0040 7a00 0001 0001 z.....

2019-09-09 15:10:09.158692 port4 in 172.16.191.210.62976 -> 172.16.191.1.53: udp 28

0x0000 0000 0000 0001 0050 5004 6802 0800 4500 .......PP.h...E.

0x0010 0038 1bb0 0000 8011 4810 ac10 bfd2 ac10 .8......H.......

0x0020 bf01 f600 0035 0024 1258 74ed 0100 0001 .....5.$.Xt.....

0x0030 0000 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k

0x0040 7a00 0001 0001 z.....

2019-09-09 15:10:09.188096 port1 in 1.1.1.1.53 -> 10.109.19.83.4128: udp 44

0x0000 0000 0000 0001 0009 0f09 c723 0800 4500 ...........#..E.

0x0010 0048 3f9a 4000 3a11 e149 0101 0101 0a6d .H?.@.:..I.....m

0x0020 1353 0035 1020 0034 9f97 74ed 8180 0001 .S.5...4..t.....

0x0030 0001 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k

0x0040 7a00 0001 0001 c00c 0001 0001 0000 0e10 z...............

0x0050 0004 b962 07ae ...b..

2019-09-09 15:10:09.188197 port4 out 172.16.191.1.53 -> 172.16.191.210.62976: udp 44

0x0000 0000 0000 0000 0050 5013 6304 0800 4500 .......PP.c...E.

0x0010 0048 44e5 4000 4011 1ecb ac10 bf01 ac10 .HD.@.@.........

0x0020 bfd2 0035 f600 0034 0283 74ed 8180 0001 ...5...4..t.....

0x0030 0001 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k

0x0040 7a00 0001 0001 c00c 0001 0001 0000 0e10 z...............

0x0050 0004 b962 07ae ...b..

Behavior when multiple DNS forwarders are configured:

When multiple DNS forwarders are configured, they will be utilized in the following order:

FortiGate will first check its DNS cache. If a valid cached entry is found, then it will be used to answer the query.
FortiGate will forward the DNS query to the first configured forwarder if no cache entry is found.
DNS forwarding will only occur if no cache entry exists for the queried domain. IPv6 queries may still be forwarded to the server if only an IPv4 cache entry is available.
If the first server does not respond within 5 seconds, then the FortiGate will forward the query to the second server and will also mark the first server as non-responsive for a 5-second timer.
Once the timeout expires, FortiGate will attempt to forward DNS queries to the first server again. FortiGate does not monitor or actively probe the health status of servers.
This failover mechanism applies to subsequent servers. For example, if the second server does not respond within 5 seconds, FortiGate will forward the query to the third server.

Note: If the device is FortiProxy, conditional DNS forwarding is supported only from version 7.6.x onward, using a DNS filter profile along with SaaS application DNS forwarding.

Transparent conditional DNS forwarder

FortiProxy conditional DNS forwarder(SaaS)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded