Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiPhish
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- DNS Server Conditional Forward
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS Server Conditional Forward
Hi,
I had a client' s head office go down due to environmental issues and the remote offices could no longer resolve DNS.
The client wants the remote office' s PCs to be able to still browse the internet if head office goes down.
Can the FGT do conditional forwarding for the AD domain, as in any requests for domain.local forward to DC?
If not, any ideas how I could get it to work?
You can' t simply add an external DNS server as the second server because of how Windows treats DNS servers. Windows will fail over to the second DNS server but will not fail back until it can' t resolve addresses using the second DNS server.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just an idea:
configure a local DNS on the FGT. Specify this as secondary DNS on all hosts. To fail back, simply disable the FGT DNS for a while.
as an alternative: use the local FGT DNS as primary, with forwarding to the external (ISP) DNS for all hosts not resolved. This should be more responsive for your local hosts anyway.
DNS is not really laid out for failover operation. Some implementations will only try the secondary DNS after 20 seconds timeout on the primary. Then browsing can be trying on your patience.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you standup 2xlocal DNS servers that are cache-only with a forwarder to the primary authoritive DNS servers for *.yourdomain@xyz ?
This way you can resolve if the headend is down, and even have speedier dns lookups, since the cache only server/forwarder is sitting on the wire locally 7 independent of the firewall.
Next question, Does fortigate even support bind type dns-forwarding directly ? ( i guess that what the conditional forward question that you have asked )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah-ha, so inspired by larger customers, I thought why not make Load Balance a pseudo anycast setup.
Turns out, if you setup a weighted load balance and give the AD DNS the priority, and external DNS servers lower priority (in my case, I pointed it back to the FGTs internal IP) it works like a charm.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lmuir,
Would you mind posting more details about how you did this? I have a satellite office with a read-only DC installed, but I' m intrigued by why you describe because I could load balance to the head office DC in case that server was down.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- What FortiOS Event Logs should i... 614 Views
- VLAN assignment by FortiAP group 285 Views
- Does SOCKS proxy support Form based... 282 Views
- Fortigate: Virtual IPs with FQDN (internal... 363 Views
- X-forwarded-for header question? 449 Views
Labels
-
FortiGate
7,950 -
FortiClient
1,593 -
5.2
801 -
FortiManager
670 -
5.4
639 -
FortiAnalyzer
510 -
6.0
416 -
FortiSwitch
416 -
FortiAP
416 -
5.6
362 -
FortiClient EMS
356 -
FortiMail
298 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
187 -
SSL-VPN
170 -
FortiNAC
156 -
IPsec
150 -
6.4
128 -
FortiGuard
124 -
FortiGateCloud
98 -
FortiCloud Products
94 -
FortiSIEM
92 -
SD-WAN
86 -
FortiToken
84 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
66 -
4.0MR3
64 -
Firewall policy
53 -
FortiProxy
52 -
FortiEDR
50 -
FortiADC
49 -
Fortivoice
48 -
VLAN
42 -
FortiExtender
41 -
FortiDNS
41 -
High Availability
40 -
FortiSandbox
38 -
FortiGate v5.4
35 -
ZTNA
35 -
FortiSwitch v6.4
33 -
DNS
33 -
LDAP
33 -
Routing
32 -
BGP
32 -
SAML
30 -
Certificate
30 -
Interface
29 -
NAT
26 -
FortiConnect
25 -
SSO
25 -
FortiWAN
24 -
RADIUS
24 -
Authentication
24 -
FortiGate v5.2
23 -
FortiConverter
23 -
VDOM
23 -
FortiLink
21 -
Virtual IP
20 -
Web profile
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Logging
18 -
Fortigate Cloud
17 -
FortiMonitor
16 -
Traffic shaping
16 -
Application control
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
FortiPAM
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Admin
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiGate v4.0 MR3
8 -
FortiManager v4.0
8 -
FortiBridge
8 -
IPS signature
8 -
System settings
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Traffic shaping policy
7 -
Proxy policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Security profile
6 -
Port policy
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiTester
5 -
Users
5 -
3.6
4 -
FortiDeceptor
4 -
FortiToken Cloud
4 -
FortiScan
4 -
FortiDirector
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Fabric connector
4 -
Web rating
4 -
Fortinet Engage Partner Program
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
Internet service database
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Application signature
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Authentication rule and scheme
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1 -
Cloud Management Security
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.