Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shocko
New Contributor III

DNS Server - Answer for specific records and forward for all others in a zone?

I have the following use case with Fortigate 6.4.12:

 

I have a DNS domain hosted with my ISP for internet facing service say myorg.com. Therein I have several hostnames for services. I need to split-brain only specific hostnames under this domain internally on my corporate LAN. For example 

 

  1. When www.web.myorg.com is resolved from the internet I wish to give 1.1.1.1
  2. When www.web.myorg.com I wish to return 2.2.2.2
  3. When anything underneath it (host.www.web.myorg.com etc.) is resolved I wish to forward to another set of DNS servers

 

Internally on my corporate we use Windows DNS servers. Whilst these support conditional forwarding catering for 2 and 3 is messy and requires multiple upstream DNS servers.

 

Can the Fortigate DNS servers setup with non-authoritative zones simply answer for specific records and forward for all others in a zone?

 

1 Solution
gfleming
Staff
Staff

Yes sir! 

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/960561/fortigate-dns-server

 

I assume #2 you mean to say "When www.web.myorg.com is resolved internally I wish to return 2.2.2.2"

 

Basically configure a DNS server for the domain in question. Have a host record DNS entry for www and point it to 2.2.2.2. 

 

Configure the DNS Forwarder to be the server(s) you want to use to resolve anything else in the web.myorg.com domain. 

 

Enable the DNS Service on the relevant interface(s).

 

Done!

Cheers,
Graham

View solution in original post

4 REPLIES 4
gfleming
Staff
Staff

Yes sir! 

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/960561/fortigate-dns-server

 

I assume #2 you mean to say "When www.web.myorg.com is resolved internally I wish to return 2.2.2.2"

 

Basically configure a DNS server for the domain in question. Have a host record DNS entry for www and point it to 2.2.2.2. 

 

Configure the DNS Forwarder to be the server(s) you want to use to resolve anything else in the web.myorg.com domain. 

 

Enable the DNS Service on the relevant interface(s).

 

Done!

Cheers,
Graham
shocko
New Contributor III

Awesome @gfleming ! I've tested this and it works but I'm actually blocked and looking for another solution due to the fact that as per here the DNS server can't host SRV records :(

gfleming

Can you have the SRV records hosted on the downstream DNS server?

Cheers,
Graham
shocko
New Contributor III

Yes I can but trying to not introduce more 'things' on my datacentre and reuse existing kit/capbilty. This one look like I'll have to use some lightweight dnssec or bind instances. 

I have asked our TAM to raise a feature request to support SRV DNS records on the Fortigate DNS Server. ;)

Labels
Top Kudoed Authors