Technical Tip: DNS Database view type Shadow and Public for explicit proxy

Adryan_you · ‎11-16-2023

Description

This article discusses the behavior of DNS zone database view type (public and shadow) for explicit proxy in FortiGate.

Scope

FortiGate.

Solution

The DNS database view can be set as 'public' or 'shadow'. For explicit proxy sessions, FortiGate will do the DNS lookup into the DNS database with the view set as 'shadow'.

For example, FortiGate works as an explicit proxy. A secondary DNS zone database 'xxxx.yy.com' is created in FortiGate to receive zone database entries from the internal DNS server.

FGTTEST # show sys dns
config system dns
set primary 8.8.8.8
set secondary 165.21.100.88
end

FGTTEST # show sys dns-database xxxx.yy.com
config system dns-database
edit "xxxx.yy.com"
set domain "xxxx.yy.com"
set type secondary
set view shadow<-----
set forwarder <DNS server IP@ for DNS forwarding>
set ip-primary <internal DNS server IP@ for zone transfer>
end

With view setting as 'shadow':

If the HTTP Request URL matches the DNS zone database, FortiGate will do the DNS lookup in the zone database first.

dia de app dnsproxy -1

dia de e

[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=truckbus.xxxx.yy.com, qtype=1, qclass=1, offset=39, map#=4 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=truckbus.xxxx.yy.com
[worker 0] dns_local_lookup()-2581: found zone=xxxx.yy.com domain=xxxx.yy.com<-----
[worker 0] dnsentry_search()-506: domain=xxxx.yy.com, name=truckbus.xxxx.yy.com, type=1

If the HTTP Request URL does not match the DNS database domain, FortiGate will do the lookup with the DNS server set in FortiGate:

[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=login.microsoft.com, qtype=1, qclass=1, offset=37,map#=3 max_sz=131072
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=login.microsoft.com
[worker 0] dns_send_request()-1430
[worker 0] dns_send_resol_request()-1266: orig id: 0x0098 local id: 0x0098 domain=login.microsoft.com
[worker 0] dns_find_best_server()-658: found server: 8.8.8.8 (vfid=0 vrf=0)<-----
[worker 0] dns_udp_forward_request()-1092: vdom=root req_type=1 domain=login.microsoft.com oif=0
[worker 0] dns_udp_forward_request()-1212: Send 37B to [8.8.8.8]:53 via fd=19 request:1

When the view setting is 'public':

FortiGate will do the DNS lookup of all URLs using the DNS server configured in the FortiGate.

[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=truckbus.xxxx.yy.com, qtype=1, qclass=1, offset=39, map#=4 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=truckbus.xxxx.yy.com
[worker 0] dns_send_request()-1430
[worker 0] dns_send_resol_request()-1266: orig id: 0x0000 local id: 0xc06d domain=truckbus.xxxx.yy.com
[worker 0] dns_find_best_server()-658: found server: 8.8.8.8 (vfid=0 vrf=0)
[worker 0] dns_udp_forward_request()-1092: vdom=root req_type=1 domain=truckbus.xxxx.yy.com oif=0
[worker 0] dns_udp_forward_request()-1212: Send 39B to [8.8.8.8]:53 via fd=18 request:1

[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=safebrowsing.googleapis.com, qtype=1, qclass=1, of
fset=45, map#=3 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=safebrowsing.googleapis.com
[worker 0] dns_send_request()-1430
[worker 0] dns_send_resol_request()-1266: orig id: 0x0100 local id: 0x0100 domain=safebrowsing.googleapis.com
[worker 0] dns_find_best_server()-658: found server: 8.8.8.8 (vfid=0 vrf=0)
[worker 0] dns_udp_forward_request()-1092: vdom=root req_type=1 domain=safebrowsing.googleapis.com oif=0
[worker 0] dns_udp_forward_request()-1212: Send 45B to [8.8.8.8]:53 via fd=18 request:1