Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff

Created on ‎10-17-2023 11:03 PM Edited on ‎09-13-2024 03:42 AM By Community Manager

Article Id 279575

Technical Tip: FortiGate DNS Server works as DNS proxy

Description This article describes how FortiGate can function as a DNS server which is not a full-featured DNS server, instead working as a DNS proxy.
Scope FortiGate v7.0 and earlier.
Solution

FortiGate can be used as a DNS Server on the network. It will listen for DNS queries on specific interfaces where the service has been enabled.

 

The DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or Forward to System DNS (server), but these modes are related to choosing what type of local database the FortiGate will use instead of an iterative resolution.

 

The FortiGate 'Recursive' or 'Non-Recursive' mode of operation should not be confused with the concept of recursive DNS resolution.

 

In DNS concepts, a name resolution is the process by which a DNS server resolves an FQDN to an IP address. This process of DNS lookup can be performed in two ways 'Recursive' and 'Iterative'.

 

Usually, the 'Recursive' query happens between the client and its Local DNS Server (also known as DNS Recursive, DNS Resolvers, or Caching nameservers), and the 'Iterative' DNS lookup happens between the Local DNS Server and other DNS (DNS root server, DNS TLD server, DNS authoritative server).

 

DNSPRoxy_16Oct2023.drawio.png

 

FortiGate as a DNS server will operate as a DNS proxy instead of a full-featured DNS server. In particular, FortiGate does not support so-called recursive resolution. Instead, FortiGate expects the upstream DNS servers configured in system.dns to do recursive resolution.

 

config system dns
    set primary 96.45.45.45 <- These should be DNS server to support recursive resolution.
    set secondary 96.45.46.46 <-
end

 

The DNS server currently supports 3 modes:

 

config system dns-server
    edit "lan"
        set mode recursive
    next
        edit "wan"
            set mode non-recursive
        next
            edit "dmz"
                set mode forward-only
           next
       end

 

The mode of the DNS server is used to determine how it looks up the local DNS database and if it will be forwarded to upstream DNS servers when it receives a DNS request from that particular interface. Two types of DNS databases are currently supported (shadow or public).

 

config system dns-database
    edit "1"
        set domain "test.com"
        set view shadow <-
            config dns-entry
                edit 1
                    set hostname "www"
                    set ip 192.168.1.1
                next
             end
                next
                    edit "2"
                         set domain "test.com"
                         set view public <-
                              config dns-entry
                                  edit 1
                                      set hostname "www"
                                      set ip 1.1.1.1
                                  next
                               end
                            next
                         end

 

Consider an example scenario where a user is trying to resolve http://www.test.com. First, it is important to check all 3 modes.

 

  1. If the request is from a DMZ interface (dns-server mode is forward-only), it will not look up the local database. The request is directly forwarded to the upstream DNS server.
  2. If the request is from a LAN interface (dns-server mode is recursive), it will look up the shadow database, meaning it will resolve to 192.168.1.1. But if the request does not match any dns-entry in test.com (for example, a query for server.test.com) or any shadow database, the request will be forwarded to the upstream DNS server.
  3. If the request is from a WAN interface (dns-server mode is non-recursive), it will only look up the public database, so it will resolve to 1.1.1.1. But if the request does not match any dns-entry in test.com (for example, a query for server.test.com) or any public database, the resolution will fail. In other words, the request will not be forwarded to an upstream recursive server for non-recursive mode.

 

Misconception:

The DNS server configured into the system.dns must not be an Iterative DNS Server, i.e. a Root DNS server. Since the FortiGate will not perform Recursive query, the FortiGate will only proxy the response from the Root Server without having a valid DNS lookup.

 

config system dns
    set primary 198.41.0.4 <- A.ROOT-SERVERS.NET.
end

 

For example, in a case where a PC sending a DNS lookup to FortiGate DNS server listens on IP 192.168.10.254, the DNS response will get the Root DNS server since it will respond with an iterative resolution:

 

dig www.fortinet.com @192.168.10.254

; <<>> DiG 9.10.3-P4-Debian <<>> www.fortinet.com @192.168.10.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38219
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.fortinet.com. IN A

;; AUTHORITY SECTION:
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.

;; ADDITIONAL SECTION:
e.gtld-servers.net. 172800 IN A 192.12.94.30
e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30
b.gtld-servers.net. 172800 IN A 192.33.14.30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
j.gtld-servers.net. 172800 IN A 192.48.79.30
j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30
m.gtld-servers.net. 172800 IN A 192.55.83.30
m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30
i.gtld-servers.net. 172800 IN A 192.43.172.30
i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30
f.gtld-servers.net. 172800 IN A 192.35.51.30
f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30
a.gtld-servers.net. 172800 IN A 192.5.6.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
g.gtld-servers.net. 172800 IN A 192.42.93.30
g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30
h.gtld-servers.net. 172800 IN A 192.54.112.30
h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30
l.gtld-servers.net. 172800 IN A 192.41.162.30
l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30
k.gtld-servers.net. 172800 IN A 192.52.178.30
k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30
c.gtld-servers.net. 172800 IN A 192.26.92.30
c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 172800 IN A 192.31.80.30
d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30

;; Query time: 66 msec
;; SERVER: 192.168.10.254#53(192.168.10.254)
;; WHEN: Wed Oct 18 05:23:44 UTC 2023
;; MSG SIZE rcvd: 841

Related articles:
Technical Tip: FortiGate Troubleshooting DNS commands
Technical Tip: DNS stops working when using custom DNS
Technical TIP : Different options of configuring DNS server on FortiGate

Troubleshooting Tip: Domain Name ServDNS not responding
6483
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.