Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
csjjpm
New Contributor II

Static DNS entries for internal servers

Hi,

  I have configured the additional DNS Database feature and created a DNS Service on my softwareswitch following these instructions: https://kb.fortinet.com/kb/documentLink.do?externalID=FD49991

 

Would someone be able to clarify something for me?  2 questions:

1.) I guess for each interface (VLAN) I have to change this to 'Specify' and put in my FG ip address as the DNS server.  However, does this replace the DNS settings I've configured in the FG or is it applied in addition?

2.) how is it applied to the VPN subnet?

 

thanks

Paul

Firewall newbie
Firewall newbie
1 REPLY 1
msander
Staff
Staff

Hello Paul,

 

Many thanks for your message.

 

The DNS database will not override the actual system DNS. You can actually see that as a recursive DNS database. As soon as you configure the FGT as DNS Server you can specify that all requests will be forwarded to the configured system DNS or you can specify a recursive lookup. In case of a recursive lookup all request will be sent to the system DNS apart of the configured DNS suffixes in the database. Means all request for internal domain "something.local" will be handled by FGT, while all other request will be forwarded to the System DNS.

 

[Client]----[FGT]----[DNS Server]

                       |

[Configured DNS Database for something.local]

 

Based on that information you would need to specify the FGT as DNS server for each VLAN, where you need recursive lookup. 

 

For the question on VPN:

 

For IPSEC and SSLVPN the Fortigate cannot act as DNS Server on these virtual-interfaces directly.

 

Instead you would need to create a loopback interface, where the DNS service is listening on. In order to reach the loopback interface, you would need to create a route for the client and a firewall policy. Instead of a loopback interface, you could also do the same with the internal IP of a VLAN interface. 

 

I hope this will help you for your design.

 

Best regards,

 

Mathias

There's no place like ::1/128
Labels
Top Kudoed Authors