Skip to main content
rgala
rgala
Visitor III
December 10, 2022
Question

DNS server for guest network

  • December 10, 2022
  • 3 replies
  • 2568 views

Hi,

 

I have this scenario:

Company network, FortiGate as a NGFW.
config system dns point to internal Active Directory DNS servers.

There is a visitor network for which I would like to use FortiGate as a DNS server in DHCP offer.

With appropriate firewall policies I am able to block access from visitor network to internal networks.

But I would want visitors not to be able to translate internal hostnames and addresses as well.

Is there a way to achieve this?

 

3 replies

vusal_d
vusal_d
New Member
December 10, 2022

Hello

Just create a few VLANs for each network

seaoptimusprimeolive
seaoptimusprimeolive
New Member
December 15, 2022

You should just point your visitors DNS to your ISP's DNS (or any DNS really, who cares).  There is no way to block them from resolving IP addresses if you let them access your DNS and if there is any DNS vulnerability then it is a possible attack vector from one system to another.

 

Dont forget if the port is open to your domain DNS then they can still use NSLOOKUP to resolve internal names so you should not even have any ports open to your internal network including DNS.

sw2090
SuperUser
sw2090
SuperUser
December 16, 2022

to be able to resolve internal hostnames you would have to configure the DHCP Serve ron that interface to offer the system dns servers (as you wrote they are set to your internal AD DNS).

That may also mean that you will have to allow clients in your visitor network to access your AD DNS with Service DNS (53/UDP). 

The less elegant way would be to create a dns db on the FGT and enter all the internal hostnames there. Then create a recursive DNS Forwarder on the visitor net interface which uses some external DNS as forwarder. Then set the DHCP to offer the interface ip als DNS.

 

Terms & ConditionsAccessibility statement