Description
In this example the FortiGate is at Site A and the Windows DNS server is at Site B. The two sites are connected by a VPN. The FortiGate has an internal IP of 192.168.2.99, and the Windows AD DNS server has an IP of 10.10.54.6.
Scope
FortiGate.
Solution
On the Windows DNS Server.
- On the Windows DNS server launch DNS Manager, select the DNS zone in question, and find the Start of Authority (SOA) record.
- Go to the Zone Transfers tab and select 'Allow zone transfers' and 'To any server'.
- Select 'Notify' and pick 'The following servers'.
Add the FortiGate's IP address. Select 'Ok', and select 'Ok' again.
- On the FortiGate.
Go to System -> Config -> Features, select Show More, and turn on DNS Database (select 'Apply').
Go to Network -> DNS Servers and create a new DNS Database
Type: slave
DNS Zone: test_dns_zone
Domain Name: test_dns_zone.loc
IP of Master: 10.10.54.6
View: Shadow <----- The View option needs to be selected as a shadow on this point.
The FortiGate supports the following DNS records:
A Host
AAAA IPv6 host
CNAME Canonical name
MX Mail exchange
NS Name server
PTR Pointer
PTR_V6 IPv6 pointer
With Windows AD, a common and necessary record type is an SRV record, to resolve these with the FortiGate as the DNS server, a forwarder must be specified on the DNS-database configured on the FortiGate.
This is done using the following commands:
config system dns-database
edit "test_dns_zone"
set forwarder "10.10.54.6"
next
end
config system dns-database
edit "test_dns_zone"
set source-ip 192.168.2.99
next
end
On the FortiGate, whenever the FortiGate is being used as the DNS server, ensure that the interface that is being referenced as the server has a DNS service set.ex.
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case the FortiGate's internal IP address can be used). On the FortiGate ensure that a DNS service is also created for the interface that the users will be referencing:
Go to System -> DNS Servers and create a new DNS Service.
Interface: internal
Mode: Recursive
There are three options for DNS server mode on the FortiGate:
- recursive: Shadow DNS database and forward.
- non-recursive Public DNS database only.
- forward-only Forward only.
As the mode 'recursive' is used (this will shadow DNS database and forward), the option View 'Shadow' needs to be selected under 'config system dns-database' otherwise the DNS queries will be only forwarded to the FortiGate system DNS servers and resolution for domain test_dns_zone could fail.
In the CLI run the following command on the FortiGate to see the database:
diag test application dnsproxy 8
diag test app dnsproxy 8
Example output:
2015-04-23 16:21:08 vfid=0 name=test_dns_zone domain=test_dns_zone.loc ttl=86400 authoritative=1 view=shadow type=slave serial=10 refresh=900
2015-04-23 16:21:08 forwarder:
2015-04-23 16:21:08 10.10.54.6 secure=0
2015-04-23 16:21:08 2015-04-23 16:21:08 A: Fortigate_90d.test_dns_zone.loc-->192.168.2.992015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: test1.test_dns_zone.loc-->192.168.2.12015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: test3.test_dns_zone.loc-->192.168.3.42015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 SOA: test_dns_zone.loc (primary: dc1.test_dns_zone.loc, contact: hostmaster@test_dns_zone.loc, serial: 10)
2015-04-23 16:21:08 2015-04-23 16:21:08 NS: test_dns_zone.loc-->dc1.test_dns_zone.loc2015-04-23 16:21:08 (0)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: test2.test_dns_zone.loc-->192.168.2.32015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: dc1.test_dns_zone.loc-->10.10.54.62015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: lab.test_dns_zone.loc-->192.168.2.22015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08
