I have a hub-and-spoke topology, 25 remote sites with site VPNs.
Objective:
I want to leverage DNS Server on the FGT 60D units to respond to client DNS queries.. putting less dependence on the main site and that VPN for resolution. Some sites have RODCs (Windows), others do not. Thus, some have an option for split-DNS to a local host, but others rely on a full DC back at the main site. I also want to leave the System DNS set to FortiGuard and do want external lookups to use that.
So..
Can I add my local interfaces to forward to System DNS (which in turn are the FortiGuard DNS servers), "and" either have normal forwarding for the local domain to either the local server or a remote server over the VPN? Or, better, can I have a zone transfer as a secondary?
I haven't seen a config example which will do "all of that" yet. I'm having mixed results trying to get something configured myself. Last was an AXFR from my remote DC caught on WireShark and a long list of cached info.. but nslookups from a local client return non-existent domain. nslookup was run against the interface address (a VLAN off of internal).
And, of course, I can nslookup a domain host from that remote DNS host just fine.. so the VPN/route is fine.
Can it be done?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
ianwatts wrote:If you setup a slave zone for yourdomain.local, and set a given interface to recursive DNS : [ul]Baptiste wrote:- configure for each interface a resolution mode (recursive,...)
I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it? I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS. Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Once you have setup a DNS server on your FGT you can
- configure for each interface a resolution mode (recursive,...)
- configure slave zone to resolve your internal hostnames
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Baptiste wrote:- configure for each interface a resolution mode (recursive,...)
I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it? I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS. Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?
Couldn't you just set the forwarder on the local DNS server to Fortiguard? If the looked up host isn't local, it will bounce to Fortigaurd.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
ianwatts wrote:If you setup a slave zone for yourdomain.local, and set a given interface to recursive DNS : [ul]Baptiste wrote:- configure for each interface a resolution mode (recursive,...)
I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it? I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS. Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Recently, when I moved my site to a new popular Uniregistry hosting service, I encountered a similar problem. In my case, the technical support of my hosting service solved this problem in two hours for a small fee. If you have such an opportunity, it's always better to contact specialists. All high-quality hosting services ask for a large monthly fee, but in this case we'll be able to save thanks to discount coupons. I use Uniregistry coupons and save 30% a year. Now I don't have any problems with the site, and the problems that you described above are solved by the technical support of hosting, which allows me to develop my site without problems.
yes and additionally you can configure your vpn to handle domain specific dns queries the way you want.
you could set a domain and a dns. You then MUST set dns-mode to manual.
This
Then VPN will distribute the dns to the other side and it will be used for queries referring the domain you gave.
I do that here with various ipsec tunnels in mode config. So they use the default dns on the client for everything except if it belongs to the domain I gave. If it matched the domain it will use the dns provided by the vpn.
hth
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.