Skip to main content
keenenick
keenenick
New Member
November 28, 2018
Solved

Redirect Google DNS

  • November 28, 2018
  • 1 reply
  • 13016 views

Hi all,

 

I know this is a fairly common question on this forum but I haven't as of yet come across a definitive answer that works for me. I am hoping someone with more knowledge and experience can assist me.

 

My environment is as follows:

Fortiwifi 60E - 6.0.3 in Flow-based with profile-based in the settings.

I have a number of devices with hardcoded DNS servers.

 

I would like to be able to redirect DNS requests to my own internal DNS servers. I would particularly like to redirect requests to Googles DNS servers to ones of my own chosing. I have previously managed to do this with the a pfSense firewall, Untangle NGFW as well as Mikrotiks and Ubiquiti Routers. I can't seem to figure it out with FortiOS. The way I would typically achieve this is destination NATing (similar to port forwarding) but this doesn't work as expected in FortiOS.

 

I have tried the following forum suggestions as well:

https://forum.fortinet.co...&high=redirect+dns

https://forum.fortinet.co...&high=redirect+dns

 

I am quite new to Fortigate devices and they way of doing things and would appreciate any help offered. Preferably explained as simply as possible.

 

Thanks again.

 

Nick

 

 

    Best answer by ede_pfau

    For traffic from LAN a simple VIP should do.

    Create a 'Virtual IP', with 'external addr' as 8.8.8.8, and 'mapped to' some other DNS on the 'net. Interface is 'internal'.

    Then create a policy from 'internal' to 'wan', from 'address of internal LAN' to that VIP (use the VIP, not an ordinary address object!). Set service to 'DNS' (and maybe 'PING' as well). Check 'NAT' ! as this is an outbound policy.

     

    This will redirect all requests to Google DNS to the other DNS.

     

    This will only work if the replacement server is found on the same interface as Google DNS, i.e. on the WAN side. If you want to redirect to a different interface ('internal' or 'dmz') then you will have to use a Policy Route plus VIP. Frankly, I haven't tested yet if that is possible.

    If you cannot specify the destination address in the PR then have a look at the Central NAT table (feature needs to be enabled first). Using this table you can NAT (DNAT in this case) without working on single policies.

    1 reply

    blackhole_route
    blackhole_route
    New Member
    November 29, 2018

    If I understand what you want to do correctly, I haven't yet found a way to configure the Fortigate to do this.

     

    It sounds like what you want to do is match traffic that is initiated from inside your network that is destined to any destination ip with a dest port of udp/53, and d-nat that traffic to a destination IP address of your choosing on udp/53.

     

    If this is achievable, I am most interested, more for ntp than DNS, but the same use case in principle.

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    November 29, 2018

    For traffic from LAN a simple VIP should do.

    Create a 'Virtual IP', with 'external addr' as 8.8.8.8, and 'mapped to' some other DNS on the 'net. Interface is 'internal'.

    Then create a policy from 'internal' to 'wan', from 'address of internal LAN' to that VIP (use the VIP, not an ordinary address object!). Set service to 'DNS' (and maybe 'PING' as well). Check 'NAT' ! as this is an outbound policy.

     

    This will redirect all requests to Google DNS to the other DNS.

     

    This will only work if the replacement server is found on the same interface as Google DNS, i.e. on the WAN side. If you want to redirect to a different interface ('internal' or 'dmz') then you will have to use a Policy Route plus VIP. Frankly, I haven't tested yet if that is possible.

    If you cannot specify the destination address in the PR then have a look at the Central NAT table (feature needs to be enabled first). Using this table you can NAT (DNAT in this case) without working on single policies.

    blackhole_route
    blackhole_route
    New Member
    November 30, 2018

    Thanks Ede - this can take care of the larger/well known instance (such as 8.8.8.8). And, in my testing, the policy route is not needed - at least with central nat table enabled.

     

    I have tested with and without central nat table (we use central snat more than traditional vip configuration), and again this evening, I cannot find a way to configure a vip in central nat table where I need to match on any destination ip, specific protocol and port, dnat'ing to a specific IP and same destination port. In all the configurations I've tried, I have not been able to get a match on the VIP in daig debug flow.

     

    To explain a bit further, the scenario is to redirect all ntp and dns queries to our own internal servers providing those functions. So, for example, we can provide the required service needed by inflexibly designed products that have hard coded ntp and dns settings (yes, I mean Google Chromebooks and Meraki devices for example), without having to open up access to chunks of internet address space.

     

    Edited to add: the following is what I think logically could work, but the flow doesn't match the VIP.

    config firewall vip
        edit "ntp-dnat"
            set id 10
            set uuid e53dca1a-d705-51e7-6fc6-e9eb1ee757c6
            set comment ''
            set type static-nat
            set extip 0.0.0.0
            set extintf "trust-lan"
            set arp-reply disable
            set nat-source-vip disable
            set portforward enable
            set gratuitous-arp-interval 0
            set color 0
            set mappedip "192.168.105.14"
            set protocol udp
            set extport 123
            set mappedport 123
            set portmapping-type m-to-n
        next
    end

    Terms & ConditionsAccessibility statement