Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff

Created on ‎04-28-2017 05:43 AM Edited on ‎09-27-2024 02:43 AM By Moderator

Article Id 196821

Technical Tip: DNS conditional forwarding

Description

 

This article describes how to set up a FortiGate as a DNS Conditional Forwarder.


Solution

 
If there is a need to forward a particular DNS request to a local DNS server for example, FortiGate offers a conditional forwarding feature.
 
 
Note:
Make sure that the local DNS server has the valid DNS records. Also, use the IP address of the 'port4' (the interface that is close to the user) as a DNS server IP address on the DNS user.
 
config system dns <- FortiGate configured with the external DNS servers.
    set primary 1.1.1.1
    set secondary 208.91.112.52
    set domain "iba.local"
end
 
dnssettng.PNG

Enable The DNS Database from System -> Feature Visibility and enable DNS Database. Once enabled, it will be possible to configure the DNS Database in the GUI.

 

enablednsdb.PNG

 

config system dns-database

    edit "dc1.iba.local"

        set domain "dc1.iba.local"      <- A local domain name that is planned to be forwarded to the internal DNS server.

        set authoritative disable

        set forwarder "172.16.190.216"  <- Internal DNS server.

    next

end


dnsdb.PNGIf the requirement is to add more than two DNS forwarder addresses, it can only be added using CLI. GUI dashboard only allows the addition of two DNS Forwarder IPs.
 
config system dns-database
    edit "dc1.iba.local"
    append forwarder 172.16.190.218 172.16.190.219
    next
end
 
To view the modified config:
 
dc1.iba.local) # sh
config system dns-database
    edit "dc1.iba.local"
        set domain "dc1.iba.local"
        set forwarder "172.16.190.216" "172.16.190.218" "172.16.190.219"
    next
end

 

DNS_forwarder.png

 

config system dns-server   <- Interface listening for DNS requests.
    edit "port4"
        set mode recursive
    next
end
dnsserver.PNG

 

 
 
dnsdbfullsetting.PNG

 

Note: If the DNS server is over a VPN, a source IP may need to be specified for the FortiGate to reach the DNS server. 

 

Stephen_G_0-1702344007263.png

 

This can be done with the following commands:
 
config system dns-database
    edit "test_dns_zone"
        set source-ip 192.168.2.99
    next
end

 

The DNS forwarding can be verified by running the following sniffer commands.

 

Note:
In the following example, a DNS request was sent to 172.16.191.1 (the IP address of the interface that is listening for DNS requests) for dc1.iba.local from a DNS user 172.16.191.210. After, it was forwarded to the local DNS server (172.16.190.216), which is the expected result.  

 

diagnose sniffer packet any '(port 53 and host 172.16.191.210) or (port 53 and host 172.16.190.216)' 6 0 a interfaces=[any]
filters=[(port 53 and host 172.16.191.210) or (port 53 and host 172.16.190.216)]
2019-09-09 14:59:39.712277 port4 in 172.16.191.210.54337 -> 172.16.191.1.53: udp 31
0x0000   0000 0000 0001 0050 5004 6802 0800 4500        .......PP.h...E.
0x0010   003b 21e2 0000 8011 41db ac10 bfd2 ac10        .;!.....A.......
0x0020   bf01 d441 0035 0027 8d38 215f 0100 0001        ...A.5.'.8!_....
0x0030   0000 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01                         ocal.....

2019-09-09 14:59:39.712577 port3 out 172.16.190.1.1717 -> 172.16.190.216.53: udp 31
0x0000   0000 0000 0000 0050 5013 6303 0800 4500        .......PP.c...E.
0x0010   003b 5c55 4000 4011 0962 ac10 be01 ac10        .;\U@.@..b......
0x0020   bed8 06b5 0035 0027 5cbf 215f 0100 0001        .....5.'\.!_....
0x0030   0000 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01                         ocal.....

2019-09-09 14:59:39.713159 port3 in 172.16.190.216.53 -> 172.16.190.1.1717: udp 47
0x0000   0000 0000 0001 0050 5010 6801 0800 4500        .......PP.h...E.
0x0010   004b 1adb 0000 8011 4acc ac10 bed8 ac10        .K......J.......
0x0020   be01 0035 06b5 0037 cbe4 215f 8580 0001        ...5...7..!_....
0x0030   0001 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01c0 0c00 0100 0100        ocal............
0x0050   000e 1000 04ac 10be d8                         .........

2019-09-09 14:59:39.713232 port4 out 172.16.191.1.53 -> 172.16.191.210.54337: udp 47
0x0000   0000 0000 0000 0050 5013 6304 0800 4500        .......PP.c...E.
0x0010   004b 5c55 4000 4011 0758 ac10 bf01 ac10        .K\U@.@..X......
0x0020   bfd2 0035 d441 0037 fc5d 215f 8580 0001        ...5.A.7.]!_....
0x0030   0001 0000 0000 0364 6331 0369 6261 056c        .......dc1.iba.l
0x0040   6f63 616c 0000 0100 01c0 0c00 0100 0100        ocal............
0x0050   000e 1000 04ac 10be d8                         .........  

 

However, in cases where connection is made to the other internal/external web resources, the DNS queries will be forwarded to the external DNS servers which are configured on the FortiGate:  

 

diagnose sniffer packet any 'udp and port 53' 6 0 0 a

9.131101 port4 in 172.16.191.210.62976 -> 172.16.191.1.53: udp 28

0x0000   0000 0000 0001 0050 5004 6802 0800 4500        .......PP.h...E.

0x0010   0038 1baf 0000 8011 4811 ac10 bfd2 ac10        .8......H.......

0x0020   bf01 f600 0035 0024 1258 74ed 0100 0001        .....5.$.Xt.....

0x0030   0000 0000 0000 0766 6374 6172 617a 026b        .......fctaraz.k

0x0040   7a00 0001 0001                                 z..... 

 

9.131373 port1 out 10.109.19.83.4128 -> 1.1.1.1.53: udp 28

0x0000   0000 0000 0000 0050 5013 6301 0800 4500        .......PP.c...E.

0x0010   0038 3ee5 4000 4011 dc0e 0a6d 1353 0101        .8>.@.@....m.S..

0x0020   0101 1020 0035 0024 af6c 74ed 0100 0001        .....5.$.lt.....

0x0030   0000 0000 0000 0766 6374 6172 617a 026b        .......fctaraz.k

0x0040   7a00 0001 0001                                 z.....

 

9.158692 port4 in 172.16.191.210.62976 -> 172.16.191.1.53: udp 28

0x0000   0000 0000 0001 0050 5004 6802 0800 4500        .......PP.h...E.

0x0010   0038 1bb0 0000 8011 4810 ac10 bfd2 ac10        .8......H.......

0x0020   bf01 f600 0035 0024 1258 74ed 0100 0001        .....5.$.Xt.....

0x0030   0000 0000 0000 0766 6374 6172 617a 026b        .......fctaraz.k

0x0040   7a00 0001 0001                                 z..... 

 

9.188096 port1 in 1.1.1.1.53 -> 10.109.19.83.4128: udp 44

0x0000   0000 0000 0001 0009 0f09 c723 0800 4500        ...........#..E.

0x0010   0048 3f9a 4000 3a11 e149 0101 0101 0a6d        .H?.@.:..I.....m

0x0020   1353 0035 1020 0034 9f97 74ed 8180 0001        .S.5...4..t.....

0x0030   0001 0000 0000 0766 6374 6172 617a 026b        .......fctaraz.k

0x0040   7a00 0001 0001 c00c 0001 0001 0000 0e10        z...............

0x0050   0004 b962 07ae                                 ...b.. 

 

9.188197 port4 out 172.16.191.1.53 -> 172.16.191.210.62976: udp 44

0x0000   0000 0000 0000 0050 5013 6304 0800 4500        .......PP.c...E.

0x0010   0048 44e5 4000 4011 1ecb ac10 bf01 ac10        .HD.@.@.........

0x0020   bfd2 0035 f600 0034 0283 74ed 8180 0001        ...5...4..t.....

0x0030   0001 0000 0000 0766 6374 6172 617a 026b        .......fctaraz.k

0x0040   7a00 0001 0001 c00c 0001 0001 0000 0e10        z...............

0x0050   0004 b962 07ae                                 ...b..  

 

97335
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.