Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
namlh
New Contributor II

Created on ‎06-17-2024 01:10 AM

DNS Server FortiGate

Hi everyone, I need help with the DNS server on Fortigate. I'm using Forti as a DNS server and currently, I'm using the recursive mode because we have a DNS database. As I understand it, the recursive mode will query the DNS database first, and if it doesn't find the record, it will forward the query to the DNS system (I've set the DNS system to 8.8.8.8). The problem is that I have some domains mapped to private IPs, and when using Forti as the DNS server in recursive mode, it cannot resolve those domains. Is there any way to fix this issue?

Labels:
662
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to namlh

Created on ‎06-17-2024 03:08 AM

The concept of "not in the database" is valid for the whole domain only, not for the subdomains. As long as the domain is present in the database every request for it's subdomains will not be forwarded. If the entry is not found locally it will respond with non existing domain. Take a look at this simple test:

dns server.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

621
6 REPLIES 6
ebilcari
Staff
Staff

Created on ‎06-17-2024 02:50 AM

I think this is a DNS server behavior, if the domain exist locally all the subdomains for that domain will be searched locally, the requests will not be forwarded to the external DNS server. As a workaround you can create another/similar domain for the local DNS database.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
642
namlh
New Contributor II
In response to ebilcari

Created on ‎06-17-2024 02:53 AM

Hi thanks for your answer, 

I have also thought about that method, but if there are too many domains mapped to private IPs and they change frequently, that approach is not practical because it requires too much manual work

634
0 Kudos
ebilcari
Staff
Staff
In response to namlh

Created on ‎06-17-2024 03:00 AM

As I know this is a limit for the standard DNS server not only a limitation of FGT.

If the network has a private DNS server configured with all this private domains you can choose to forward all the request without specifying domains in the local database of the FGT.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
628
namlh
New Contributor II
In response to ebilcari

Created on ‎06-17-2024 03:04 AM

But as far as I know about the recursive mode, when it is not in the database, it will search the external DNS. Is this correct?

624
0 Kudos
ebilcari
Staff
Staff
In response to namlh

Created on ‎06-17-2024 03:08 AM

The concept of "not in the database" is valid for the whole domain only, not for the subdomains. As long as the domain is present in the database every request for it's subdomains will not be forwarded. If the entry is not found locally it will respond with non existing domain. Take a look at this simple test:

dns server.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
622
namlh
New Contributor II
In response to ebilcari

Created on ‎06-17-2024 03:14 AM

thanks for your support, i got it with your explain

610
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.