Skip to main content
JPMfg
JPMfg
Visitor III
April 6, 2018
Question

DNS-database unable to add a root zone

  • April 6, 2018
  • 1 reply
  • 7580 views

Hi,

 

For some reasons we would like to be able to have a FortiGate built-in DNS server to send negative answers (NXDOMAIN) for all queries.

The easiest way to do that on any bind/windows DNS server is to have a master zone for the root zone (".")  without any records.

 

The Fortigate config however does not allow me to create a zone with the otherwise perfectly valid Domainname "." (IETF Internet Standard STD0013 and RFC-1034/1035)

 

The Error is "domain name is not a valid dns name" and "node_check_object fail! for domain ." for >>set domain"."<< in a dns-dabase entry.

 

Is this a bug? do we need to open a support ticket?

 

There are about 1500 TLDs currently assigned by IANA, it would not be feasible to create dns database entries for each of them individually, we must be able to configure the root zone directly!

    1 reply

    emnoc
    emnoc
    New Member
    April 6, 2018

    Why? Would we should be doing some sort of  negative-cache, or using a dns-forwarder.

     

    IMHO the root-dnsserver should be the actual root   dns-server not a manipulation of such.

     

    So if someone ask for nosuch_mydomain.nosuch_tld  we cache a negative response

     

    Ken

     

    JPMfg
    JPMfgAuthor
    Visitor III
    April 10, 2018

    The reason is actually pretty simple:

    1.) The fortigate is the only device on site (apart from dumb layer 2 switches).

    2.) We need an authoritative DNS server that MUST responds with NXDOMAIN negative answers and not just timeouts or servfail errors (as would be the case with no or incorrect forwarders configured on the fortigate)

    3.) it is simple in Fortios to configure an authoritative empty zone for toplevel domains (.com, .net etc.), but the IANA decided to open up the bloody root for everyone with money, so we now have 1600 top level domains.

    The config parser however refuses to accept the root zone itself. This is probably not a limitation of the name server itself because every other resolver software supports having an authoritative root zone configured.

    4.) The Fortigate VDOM in question must not be able to resolve via any forwarder or recursively.

     

    Currently the workaround would be to configure 1600 top level zones.

    emnoc
    emnoc
    New Member
    April 10, 2018

    Currently the workaround would be to configure 1600 top level zones.

     

    You know that will not work out in the end , I believe dot.com has like 100+ millon zone and that 1600 for TLD your quoted   is well over 5k.

     

    Why can't the fortigate just answer with nothing ? or the std NXDOMAIN?   if do a lookup of  mydomainisnotreallycorrect.notld  and the dns server response with what response?

     

    trying to chase  tld is going to be fruitless ;)

     

    YMMV

     

     

    Terms & ConditionsAccessibility statement