Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ianwatts
New Contributor

DNS Server and local domain

I have a hub-and-spoke topology, 25 remote sites with site VPNs.

Objective: 

I want to leverage DNS Server on the FGT 60D units to respond to client DNS queries.. putting less dependence on the main site and that VPN for resolution.  Some sites have RODCs (Windows), others do not.  Thus, some have an option for split-DNS to a local host, but others rely on a full DC back at the main site.  I also want to leave the System DNS set to FortiGuard and do want external lookups to use that.

 

So..

 

Can I add my local interfaces to forward to System DNS (which in turn are the FortiGuard DNS servers), "and" either have normal forwarding for the local domain to either the local server or a remote server over the VPN?  Or, better, can I have a zone transfer as a secondary?

 

I haven't seen a config example which will do "all of that" yet. I'm having mixed results trying to get something configured myself.  Last was an AXFR from my remote DC caught on WireShark and a long list of cached info.. but nslookups from a local client return non-existent domain.  nslookup was run against the interface address (a VLAN off of internal).

 

And, of course, I can nslookup a domain host from that remote DNS host just fine.. so the VPN/route is fine.

 

Can it be done?

1 Solution
Baptiste

ianwatts wrote:

Baptiste wrote:

- configure for each interface a resolution mode (recursive,...)

 

I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it?  I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS.  Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?

If you setup a slave zone for yourdomain.local, and set a given interface to recursive DNS : 

[ul]
  • you will be able to resolve your internal names dc1.yourdomain.local and so on...
  • External hosts name resolution will be sent to your system DNS (fortiguard in your case)[/ul]

     

     

  • 2 FGT 100D  + FTK200

    3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

    View solution in original post

    2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
    6 REPLIES 6
    Baptiste
    Contributor II

    Once you have setup  a DNS server on your FGT you can

    - configure for each interface a resolution mode (recursive,...)

    - configure slave zone to resolve your internal hostnames

    2 FGT 100D  + FTK200

    3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

    2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
    ianwatts

    Baptiste wrote:

    - configure for each interface a resolution mode (recursive,...)

     

    I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it?  I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS.  Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?

    rwpatterson
    Valued Contributor III

    Couldn't you just set the forwarder on the local DNS server to Fortiguard? If the looked up host isn't local, it will bounce to Fortigaurd.

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    Baptiste

    ianwatts wrote:

    Baptiste wrote:

    - configure for each interface a resolution mode (recursive,...)

     

    I would not expect a recursive DNS server to use the System DNS settings (infers a forwarder), would it?  I "want" external lookups to leverage the FortiCloud DNS hosts as set on System DNS.  Can I have both internal lookups via my internal DNS host "and" external lookups via FortiCloud DNS?

    If you setup a slave zone for yourdomain.local, and set a given interface to recursive DNS : 

    [ul]
  • you will be able to resolve your internal names dc1.yourdomain.local and so on...
  • External hosts name resolution will be sent to your system DNS (fortiguard in your case)[/ul]

     

     

  • 2 FGT 100D  + FTK200

    3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

    2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
    Smithyy1

    Recently, when I moved my site to a new popular Uniregistry hosting service, I encountered a similar problem. In my case, the technical support of my hosting service solved this problem in two hours for a small fee. If you have such an opportunity, it's always better to contact specialists. All high-quality hosting services ask for a large monthly fee, but in this case we'll be able to save thanks to discount coupons. I use Uniregistry coupons and save 30% a year. Now I don't have any problems with the site, and the problems that you described above are solved by the technical support of hosting, which allows me to develop my site without problems.

    sw2090
    Honored Contributor

    yes and additionally you can configure your vpn to handle domain specific dns queries the way you want.

    you could set a domain and a dns. You then MUST set dns-mode to manual.

    This

     

    Then VPN will distribute the dns to the other side and it will be used for queries referring the domain you gave.

    I do that here with various ipsec tunnels in mode config. So they use the default dns on the client for everything except if it belongs to the domain I gave. If it matched the domain it will use the dns provided by the vpn.

     

    hth

    Sebastian

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    Labels
    Top Kudoed Authors