|
FortiOS allows for the FortiGate to be configured as a secondary DNS server. This is useful in such setups where there is a hidden primary server that manages the zone files that isn't listed. DNS can be manged from a hidden server which is then replicated to secondary servers which can provide address resolution. An advantage of using the FortiGate as a secondary server is locally being able to cache and resolve DNS requests for a particular zone while being managed by existing infrastructure.
In this example, the primary DNS server is utilizing Bind9 for the management of zone 'forti.test'. Existing Bind9 configuration is assumed.
FortiGate configuration:
 DNS-Database
config system dns-database
edit "Forti Test Zone"
set domain "forti.test"
set type secondary
set ip-primary 10.1.6.52
next
end
config system dns-server
edit "LAN"
end
In this example FortiGate will respond to DNS requests on the LAN interface at address 10.1.6.1.
Bind9 Configuration:
named.conf
// Do any local configuration here
zone "forti.test" {
type master;
file "/var/lib/bind/forti.test";
...
allow-transfer {10.1.6.1; }; // Define the IP of the interface(s) that will respond to DNS requests.
also-notify {10.1.6.1;}; // Define the IP of the interface(s) that will respond to DNS requests.
};
forti.test (example zone file)
$TTL 3600
@ IN SOA forti.test admin.forti.test. (
2024121913 ; Serial
3600 ; Refresh [1h]
600 ; Retry [10m]
86400 ; Expire [1d]
600 ) ; Negative Cache TTL [1h]
;
@ IN NS ns1.forti.test.
ns1 IN A 10.1.6.1
fortigate IN A 10.1.2.55
fortimail IN A 10.21.1.17
fortianalyzer IN A 10.1.6.2
fortimanager IN A 10.41.63.33
fortiems IN A 10.1.6.4
fortiproxy IN A 10.14.6.11
fortiweb IN A 10.4.11.1
fortiadc IN A 10.37.1.12
fortiswitch IN A 10.62.1.2
After the FortiGate IP is added to 'allow-transfer' and 'allow-notifiy', refresh the Bind9 DNS configuration.
$ rndc reload
Afterwards when Bind9 comes back, the following similar messaging should be seen in the logs:
general: notice: all zones loaded
general: notice: running
dnssec: info: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
xfer-out: info: client @ 10.1.6.1#14694 (forti.test): transfer of 'forti.test/IN': AXFR started (serial 2024121913)
xfer-out: info: client @ 10.1.6.1#14694 (forti.test): transfer of 'forti.test/IN': AXFR ended: 1 messages, 13 records, 402 bytes, 0.001 secs (402000 bytes/sec) (serial 2024121913)
In FortiGate DNS debug, the zone is loaded into the local FortiGate Database:
FortiGate # diagnose test application dnsproxy 8
worker idx: 0
vfid=0 name=Forti Test Zone domain=forti.test ttl=86400 authoritative=1 view=shadow type=secondary serial=2024121913 refresh=3600
A: fortimanager.forti.test-->10.41.63.33(3600)
A: fortiproxy.forti.test-->10.14.6.11(3600)
A: fortianalyzer.forti.test-->10.1.6.2(3600)
A: fortigate.forti.test-->10.1.2.55(3600)
A: fortiweb.forti.test-->10.4.11.1(3600)
A: ns1.forti.test-->10.1.6.1(3600)
SOA: forti.test (primary: forti.test.forti.test, contact: admin@forti.test, serial: 2024121913)(3600)
NS: forti.test-->ns1.forti.test(3600)
A: fortiswitch.forti.test-->10.62.1.2(3600)
A: fortiems.forti.test-->10.1.6.4(3600)
A: fortiadc.forti.test-->10.37.1.12(3600)
A: fortimail.forti.test-->10.21.1.17(3600)
Dig Test Confirmation:
$ dig @10.1.6.1 fortiswitch.forti.test
; <<>> DiG 9.16.44-Debian <<>> @10.1.6.1 fortiswitch.forti.test
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1044
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;fortiswitch.forti.test. IN A
;; ANSWER SECTION:
fortiswitch.forti.test. 3600 IN A 10.62.1.2
;; AUTHORITY SECTION:
forti.test. 3600 IN NS ns1.forti.test.
;; ADDITIONAL SECTION:
ns1.forti.test. 3600 IN A 10.1.6.1
;; Query time: 0 msec
;; SERVER: 10.1.6.1#53(10.1.6.1)
;; WHEN: Thu Dec 19 15:26:17 CET 2024
;; MSG SIZE rcvd: 90
|
