Skip to main content
ianwatts
ianwatts
New Member
April 24, 2017
Solved

DNS Server and local domain

  • April 24, 2017
  • 1 reply
  • 43796 views

I have a hub-and-spoke topology, 25 remote sites with site VPNs.

Objective: 

I want to leverage DNS Server on the FGT 60D units to respond to client DNS queries.. putting less dependence on the main site and that VPN for resolution.  Some sites have RODCs (Windows), others do not.  Thus, some have an option for split-DNS to a local host, but others rely on a full DC back at the main site.  I also want to leave the System DNS set to FortiGuard and do want external lookups to use that.

 

So..

 

Can I add my local interfaces to forward to System DNS (which in turn are the FortiGuard DNS servers), "and" either have normal forwarding for the local domain to either the local server or a remote server over the VPN?  Or, better, can I have a zone transfer as a secondary?

 

I haven't seen a config example which will do "all of that" yet. I'm having mixed results trying to get something configured myself.  Last was an AXFR from my remote DC caught on WireShark and a long list of cached info.. but nslookups from a local client return non-existent domain.  nslookup was run against the interface address (a VLAN off of internal).

 

And, of course, I can nslookup a domain host from that remote DNS host just fine.. so the VPN/route is fine.

 

Can it be done?

    Best answer by Baptiste

    ianwatts wrote:

    Baptiste wrote:

    - configure for each interface a resolution mode (recursive,...)

     

    I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it?  I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS.  Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?

    If you setup a slave zone for yourdomain.local, and set a given interface to recursive DNS : 

    [ul]
  • you will be able to resolve your internal names dc1.yourdomain.local and so on...
  • External hosts name resolution will be sent to your system DNS (fortiguard in your case)[/ul]

     

     

    • 1 reply

    Baptiste
    Baptiste
    New Member
    April 25, 2017

    Once you have setup  a DNS server on your FGT you can

    - configure for each interface a resolution mode (recursive,...)

    - configure slave zone to resolve your internal hostnames

    ianwatts
    ianwattsAuthor
    New Member
    April 25, 2017

    Baptiste wrote:

    - configure for each interface a resolution mode (recursive,...)

     

    I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it?  I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS.  Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?

    rwpatterson
    rwpatterson
    New Member
    April 25, 2017

    Couldn't you just set the forwarder on the local DNS server to Fortiguard? If the looked up host isn't local, it will bounce to Fortigaurd.

    Terms & ConditionsAccessibility statement