Skip to main content
Tutek_OLD
Tutek_OLD
New Member
April 24, 2021
Solved

Fortigate DNS with domain DNS correct configuration

  • April 24, 2021
  • 1 reply
  • 32315 views

Hello,

How fortigate DNS setting should be configured when there is a central AD DNS server in network, all pc computers get DNS from AD DNS server, so I configured Fortigate DSN to point to AD DNS server, and on domain DNS server I configured forwarder to 8.8.8.8 - it this good?

I thought to configure in different way, I mean, point AD DNS forwarder to Fortigate IP, and on Fortigate DNS set any public DNS servers, but I couldn't configure it, I had not internet. I don't know how to configure ipv4 policy from AD DNS server to Fortigate itself, and without that as I said my all computers did not have internet access.

Please advice me, thanks.

Best answer by MikePruett

I would personally make FortiGates (and any other devices that require DNS) to utilize internal DNS Servers. Let those internal DNS servers then forward out to Google, Cloudflare, or whatever external DNS service of your choice.

1 reply

Yurisk
SuperUser
Yurisk
SuperUser
April 25, 2021

Settings vary according to the  network needs and requirements. Most frequent set up is local hosts are pointed to AD as DNS, while Fortigate has Google/Fortiguard/Local ISP as DNS servers, Security Policy allows just AD to go out on DNS ports. 

The set-ups you tried seem to me overly complex without any benefit to the network or users. 

 

Tutek_OLD
Tutek_OLDAuthor
New Member
April 25, 2021

OK, in your first suggestion you set then as Forwardes in AD DNS any public DNS service, like Google or Cloudflare?

But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.

Yurisk
SuperUser
Yurisk
SuperUser
April 25, 2021

Tutek wrote:

But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.

One of the reasons NOT to use internal names of the resources in a firewall - use IP addresses only. 

Terms & ConditionsAccessibility statement