I have a Fortigate 201F (firmware 7.0.10) with a LAN with a windows domain with 2 windows servers acting as DNS servers. All clients inside my LAN, laptops, desktops and servers all use the 2 Windows DNS servers for DNS.
The DNS settings in my Fortigate 201F are causing me a headache.
1. If I have the Network -> DNS -> DNS Settings set to the FortiGuard servers, benign websites such as cnn.com get blocked and https sites do not respond.
2. If I have one of my Windows servers set as the primary DNS and a FortiGuard server as the secondary DNS, websites display normally.
3. If I set the DNS Settings to use both of my internal Windows DNS servers, then I get a message about not being able to reach the FortiGuard servers and the safe websites get blocked again and https sites do not respond.
My workaround is to keep the primary DNS in the Fortigate as one of my Windows DNS servers and the secondary as a FortiGuard server. I would like to get to where I can use the Fortiguard servers only.
Under Network -> DNS Servers -> DNS Service on Interface: I have the LAN in recursive mode. I think this may be my problem as I think I may have the FortiGate as well as the 2 Windows servers trying to serve DNS to the LAN all at once. If I remove the DNS Server on Interface for the LAN, could this help my DNS issue?
FWIW I have a similar set up to your own. I do not use FortiGuard DNS servers. I use quad9. What you probably want to be doing is set up a DNS server on your LAN interface that acts as a BIND secondary to your AD server, though.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/960561/fortigate-dns-server
This way internal lookups to your domain names will query your AD servers or the local DNS zone on the FGT, depending on how you set it up.
There is no bearing, though, on what DNS servers you configure for the FortiGate and Web Sites being blocked.
If you are having issues with sites being randomly blocked you can turn on the option to allow websites when a rating error occurs in the Web Filter profile.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.