Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 60E

Question

Hello,

I would like to resolve internal hostnames on my network, and I read on this Forums that it would suffice to set your internal DNS as the primary DNS server on the Fortigate unit in network configuration.

BUT, I would also like to have the Fortigate be the first DNS uplink for my internal DNS server, so I could use Fortiguard DNS servers to monitor and block bad hosts (malware, C&C, etc) out there.

So, what would be the recommended practice to having both internal hostnames correctly resolved AND funnel all DNS traffic through Fortinet DNS service (assuming there actually is a way to do this)?

PLAN B: is there a way to pre-load all my internal hostnames (a la \windows\system32\drivers\etc\hosts) on my Fortigate unit? Is there an editable HOSTS file of some sort?

ede_pfau · Accepted Answer

hi, and welcome to the forums.To make it short, I shamelessly cite from my recent post on stackexchange.com (https://networkengineering.stackexchange.com/questions/45399/fortigate-50e-conditional-forwarding/:( ----------------------------- For local name resolution you need to set up 3 things: 1- a DNS zone 2- at least one A record in that zone 3- a DNS on the interface where your internal hosts are  A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in config system dns-database: config system dns-database    edit "MyCompanyZone"        set status enable        set domain "mycompany.local"        set type master        set view shadow        set ttl 14400        set authoritative enable        config dns-entry            edit 1                set status enable                set type A                set ttl 0                set hostname "namea"                set ip 192.168.234.10            next            edit 2                set status enable                set type A            ...         end      next   endend  This zone only holds records for your private hosts and thus it must be 'authoritative'! Next, the record(s). They are created in the config dns-entry section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate.  Then you set up a DNS for your hosts to use, here on the 'lan' interface: config system dns-server    edit "lan"        set mode recursive    nextend# explanation for the mode parameter:  # set moderecursive        Shadow DNS database and forward.non-recursive    Public DNS database only.forward-only     Forward only. As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS.  Now you can resolve a local hostname like 'namea.mycompany.local'.  At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask. ----------------------------- This is setting up your FGT as your local DNS. If you want to continue to use your (? Windows) DNS just create a recursive DNS on the 'lan' interface, and specify your FGT's LAN address as the forwarding target of your local DNS. Set the FGT system DNS to one of the FortiGuard servers. There are pros and cons with the FGT nameserver. Pro: centralized management, easy to maintain, no need to run a dedicated DNS on the LAN. Contra: no dynamic DNS entries, reverse lookup zone takes some nifty configuration, no import of host file. YMMV.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded