Skip to main content
lmuir
lmuir
New Member
July 6, 2011
Question

DNS Server Conditional Forward

  • July 6, 2011
  • 4 replies
  • 6293 views
Hi, I had a client' s head office go down due to environmental issues and the remote offices could no longer resolve DNS. The client wants the remote office' s PCs to be able to still browse the internet if head office goes down. Can the FGT do conditional forwarding for the AD domain, as in any requests for domain.local forward to DC? If not, any ideas how I could get it to work? You can' t simply add an external DNS server as the second server because of how Windows treats DNS servers. Windows will fail over to the second DNS server but will not fail back until it can' t resolve addresses using the second DNS server.

    4 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 6, 2011
    just an idea: configure a local DNS on the FGT. Specify this as secondary DNS on all hosts. To fail back, simply disable the FGT DNS for a while. as an alternative: use the local FGT DNS as primary, with forwarding to the external (ISP) DNS for all hosts not resolved. This should be more responsive for your local hosts anyway. DNS is not really laid out for failover operation. Some implementations will only try the secondary DNS after 20 seconds timeout on the primary. Then browsing can be trying on your patience.
    emnoc
    emnoc
    New Member
    July 6, 2011
    Can you standup 2xlocal DNS servers that are cache-only with a forwarder to the primary authoritive DNS servers for *.yourdomain@xyz ? This way you can resolve if the headend is down, and even have speedier dns lookups, since the cache only server/forwarder is sitting on the wire locally 7 independent of the firewall. Next question, Does fortigate even support bind type dns-forwarding directly ? ( i guess that what the conditional forward question that you have asked )
    lmuir
    lmuirAuthor
    New Member
    July 6, 2011
    Ah-ha, so inspired by larger customers, I thought why not make Load Balance a pseudo anycast setup. Turns out, if you setup a weighted load balance and give the AD DNS the priority, and external DNS servers lower priority (in my case, I pointed it back to the FGTs internal IP) it works like a charm.
    veechee
    veechee
    New Member
    July 7, 2011
    lmuir, Would you mind posting more details about how you did this? I have a satellite office with a read-only DC installed, but I' m intrigued by why you describe because I could load balance to the head office DC in case that server was down.
    Terms & ConditionsAccessibility statement