Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Created on ‎11-27-2022 02:51 AM

DNS settings on branch best practices

Hi,

how do you recommend to configure dns on branch fortigate, all traffic is routed to hq fortigate, on hq fortigate is localed domain server dns.
On branch lan users get dns from settings "Same as interface IP"

Now in dns settings I set "Primary DNS server": Ip of domain server at HQ

secondary ip: leave empty.

 

Is this ok? I would like to all dns request go to domain dns, but would be great if branch fortigate has something like "dns cache" to not to overload vpn links.

Labels:
925
0 Kudos
4 REPLIES 4
Markus_M
Staff
Staff

Created on ‎11-29-2022 01:19 AM

Hi Tutek,

it will depend on your requirements. Make sure to get the requirements and then you can design to meet these.

Consider the tunnel is down, DNS over the tunnel would get the users offline. If the requirement is that ALL traffic is handled by HQ, then this is an expected bad scenario, focus on the stability of the tunnel.

Otherwise, see that you have a local DNS server that serves requests locally and forwards to the HQ in case it doesn't know. That saves traffic through the tunnel.

If there is generic traffic, like search engines that are not required to go through the tunnel, you can also add that in and your FortiGate routes it directly through its WAN rather than through the tunnel.

The consideration there is to not use up HQs internet line by the branch site.

 

Best regards,

 

Markus

 

907
0 Kudos
Tutek
Contributor

Created on ‎11-29-2022 01:32 AM Edited on ‎11-29-2022 01:33 AM

Force all traffic to HQ is a must (no utm scanning possible at branches) that is, we accept that in case of loss of the tunnel there will be no Internet at branch.

But don't know how to configure local dns cache at branch side when the most visited local servers or websites are catched and there is no need to query the ad server every time.

Is this config ok for DNS database?:

 

Tutek_2-1669714290270.png

 

 

906
0 Kudos
anikolov
Staff
Staff

Created on ‎11-29-2022 02:47 AM

Hello Tutek,

 

I suggest the following KB for the DNS forward:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-conditional-forwarding/ta-p/196821

 

You can check the DNS cache with "diag test application dnsproxy 3":
https://community.fortinet.com/t5/FortiGate/Technical-Note-FortiGate-Troubleshooting-DNS-commands/ta...

 

The default cache is 30 minutes.

 

Here is the command how to set it:

config system dns
 set set dns-cache-ttl (60 to 86400 (seconds))
end

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/903162/important-dns-cli-commands

 

Regards,

Aleksandar Nikolov
903
0 Kudos
Tutek
Contributor

Created on ‎11-29-2022 02:56 AM Edited on ‎11-29-2022 04:05 AM

one crucial thing is missing from this tutorial does dns-database entry is primary or it is slave, because mine configuration is the same but I choosed dns-database entry to be slave, and don't know if this is ok.

 

Command: diag test application dnsproxy 3
do not list me all cached entries but only DNS configuration like:

DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000

is there a way to list all cached dns entries?

 

902
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.