Description
This article describes the steps to configure a DNS zone transfer over an IPsec tunnel.
Scope
Scope
All FortiGates.
Solution
It is assumed that IPsec is working correctly, and DNS zone transfer now needs to be implemented.
Topology:
PC1---(192.168.10.1)[FGT-100 Primary DNS]------IPsec VPN----[FGT-200](192.168.20.1)----PC2
DNS Master configuration: FGT-100.
- If necessary enable the DNS database feature. Go to System -> Feature Visibility and enable DNS Database.
- Go to Network -> DNS Server. Enable the DNS service on the IPsec interface and internal interface where the DNS zone transfer will point.
- Create a new DNS Database (in this example 'zone1'):
- Edit the zone and create the DNS records in the DNS zone. For example, DNS record for a Web Server webserver.lab.local-> 172.16.100.2.
- Set the 'allow-transfer' IP (only available in the CLI) as described below.
FGT-1OO CLI configuration:
config system interface
edit "port2"
set vdom "root"
set ip 192.168.10.1 255.255.255.0
set alias "LAN"
next
end
config system dns-server
edit "port2"
next
edit "ToBranch"
next
end
config system dns-database
edit "zone1"
set domain "lab.local"
config dns-entry
edit 1
set hostname "dc"
set ip 192.168.1.196
next
edit 2
set hostname "webserver"
set ip 172.16.100.2
next
end
set allow-transfer "192.168.20.1" -> The source IP that will request the zone transfer.
next
end
DNS Slave configuration: FGT-200.
- Enable the DNS service on the internal interface port3.
- Create the DNS zone zone1 as follows:
- Set type to secondary.
- Enter the IP of the primary DNS server in this case 192.16810.1 or the IP of the IPsec interface will work as well if one has been configured.
- Set View to Shadow so only internal users can use it.
FGT-2OO CLI configuration:
config system interface
edit "port3"
set vdom "root"
set ip 192.168.20.1 255.255.255.0
set alias "LAN"
next
end
config system dns-server
edit "port3"
next
end
config system dns-database
edit "zone1"
set domain "lab.local"
set type secondary
set authoritative disable
set source-ip 192.168.20.1 -> The source IP that will request the zone transfer.
set ip-primary 192.168.10.1
next
end
Note: If the IPsec interfaces have an IP configured, these 2 IPs can be used as part of the configuration instead of the internal interface IPs. In this case, it is not required to include port2 as part of the config system dns-server in the Primary DNS FGT-100.
Testing the configuration.
- Confirm there is DNS traffic between the IP 192.168.20.1 and 192.168.10.1 with a packet capture:
FGT-200 # diag sniffer packet any 'host 192.168.10.1 and host 192.168.20.1 and port 53' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.10.1 and host 192.168.20.1 and port 53]
2024-11-17 11:31:12.686732 ToHQ out 192.168.20.1.9868 -> 192.168.10.1.53: syn 713751820
2024-11-17 11:31:12.706355 ToHQ in 192.168.10.1.53 -> 192.168.20.1.9868: syn 206947414 ack 713751821
2024-11-17 11:31:12.706416 ToHQ out 192.168.20.1.9868 -> 192.168.10.1.53: ack 206947415 - On the FGT-200 (Secondary DNS) dump the DNS database to confirm that the DNS records are part of the database and that the DNS zone transfer worked:
FGT-200 # diag test application dnsproxy 8
worker idx: 0
vfid=0 name=zone1 domain=lab.local ttl=86400 authoritative=0 view=shadow type=secondary serial=379328144 refresh=7200
SOA: lab.local (primary: dns.lab.local, contact: host@lab.local, serial: 379328144)(86400)
A: dc.lab.local-->192.168.1.196(86400)
A: webserver.lab.local-->172.16.100.2(86400)
FGT-200 can now resolve these domains as well as the PC2 using FGT200 (192.168.20.1) as the DNS server:
FGT-200 # exe ping webserver.lab.local
PING webserver.lab.local (172.16.100.2): 56 data bytes - If required reload the DNS database diag test application dnsproxy 9 or perform additional troubleshooting with the steps described in this article: Troubleshooting-Tip-Troubleshoot-DNS-Transfer-zone-from-DNS.
