Skip to main content
ahajaj
ahajaj
New Member
December 5, 2023
Question

configure internal DNS server behind Fortigate

  • December 5, 2023
  • 3 replies
  • 5254 views

Hello,

i was looking for some advice regarding setting up local DNS server (not setting the Fortigate as DNS server/relay).

the role of this server is to resolve DNS queries for network elements (and later on maybe to be used in adjacent to AD). 

i thought to set dedicated subnet/vlan for DNS queries sent by those elements (separating DNS traffic form all other traffic) and perhaps have this network accessing the server through the Fortigate. next hop on this path would be from the DNS server to the FW to utilize the DNS filtering services from Fortiguard. 

1. i was also wondering what would be the best practice on setting up local DNS server behind a Fortigate unit?

2. is the DNS filtering services are part of the web filtering licenses? 

3. can i set the local DNS server to query the Fortiguard DNS servers directly or i need to have it query the Fortigate itself to get the full benefit of those DNS filtering mechanism.

4. would love to hear of personal experiences of such cases.

3 replies

ConnyGustavsson
ConnyGustavsson
Visitor III
December 6, 2023

Hi. Fortigate will inspect all passing DNS traffic if the DNS filter feature is enabled on policy. You do not need to use the FG as DNS server/forwarder. (Still that may be benificial, especially if internal DNS server is on other side of VPN/SD-WAN.) My view: Its very important to inspect the DNS request already when it comes from client. So client and DNS server should be on different LAN segments and traffic in between inspected. Only way to easilly find what client is trying to reach a bad site.
Nowadays browsers (like Chrome) use DNSoverHTTPS or DNSoverTLS to  resolve names on Internet; thus no DNS packets are seen and DNS filter will fail to block these requests. One way to mitigate is to use Fortigate Application Control Profiles and block these two applications I mentioned.
BR/Conny

    hbac
    Staff
    hbac
    Staff
    December 6, 2023

    Hi @ahajaj,

     

    1. Do users need to resolve internal domain names? If yes, they need to use internal DNS server and you can configure the internal DNS server to forward queries to the public DNS servers. 

    2. DNS filter and Web Filter should be part of FortiGuard URL, DNS & Video Filtering Service Entitlement. 

    3. The local DNS server can query any public DNS servers. 

     

     

    Regards, 

      ahajaj
      ahajajAuthor
      New Member
      December 12, 2023

      thank you hbac and conny for your replies. 

      the DNS server would be used for:
      1. Domain Controler for users authentications.

      2. local URL resolves for hosted servers operations.

      the current plan is to have the DNS server separated from the hosted servers and the devices that needs to authenticate by a Fortigate FW. this is a pretty straight forward solution.

      the real question are what is the better practice here, should the DNS server query for its missing records the FW itself or query a public server?
      also, if querying the FW (assuming the rate of queries would not be too high) what is the recommended filtration/security profiles to use (DNS & APP control only or also to add IPS)? 

      on the other hand, can the server query Fortilab/Fortiguard DNS servers? or only the FW can query those? if it can query the Fortilab/Fortiguard servers is it "scrubbed" information, meaning is it considered clean data?

      Terms & ConditionsAccessibility statement