Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ScottVega
New Contributor

DNS " Relay"

Hi Everyone At the moment I' m experimenting with a Site to Site VPN. On one side i got a perfectly running SBS2011 network with DNS etc. with a fortigate 100A, on the other side i got a pretty standard " home" network with a fortigate 50B. What i would like to do is, send all dns-requests for devices on the SBS-Network into the vpn tunnel. therefore i guess i would have to send all dns traffic to the sbs. there is a dns server function in the fortigate as i can see. would it be possible, to somehow get the fortigate to " download" all the dns entries on the SBS' s DNS-Scope into the internal database, so i could just ping the network names of the sbs network? at the moment the Site2Site is working perfectly on a IP-Only basis. thanks for your help cheers ScottVega
5 REPLIES 5
Dave_Hall
Honored Contributor

Hi Scott. Not sure if the DNS server (database) feature is available on your 50B (and firmware) but if it is, you can make it show up on the GUI by enabling it via System\Admin\Settings->DNS Database. After that, you should see " System\Network\DNS Server->DNS Database" . You can set up a slave DNS server to the SBS2011. Things to keep in mind is that: 1) the SBS needs to authorize zone transfers. 2) Fortigate' s DNS server implementation is not a full DNS server (e.g. does not support all DNS record types). The above info can be obtain via the Fortigate handbook, CLI Ref, and Cookbook.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
ede_pfau
SuperUser
SuperUser

Why so complicated? If you just specify the SBS address as the DNS address in your home network then you have DNS resolution from the central DNS. The VPN is totally transparent to this. You can even have local (home) addresses on the FGT DNS and all other requests are forwarded to the SBS...from 4.3 on. But there' s a lot to say in favor of KISS (keep it simple).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Maik
New Contributor II

Why so complicated?
What happens in case the VPN Tunnel is down? with Dave Hall' s suggestion, you still can use the local resolver for e.g. Internet Access.
ScottVega
New Contributor

Hi Everyone @Dave: I will try this. I only need the A-records so i can get to the devices using their hostnames, so your solution seems to do the job. @ede_pfau: yes, that is a solution, but what if the tunnel goes down, then there is no dns available.
veechee
New Contributor

Can anyone post an example of shadowing a Windows AD DNS server to a FortiGate unit? This use case interests me because I setup a FGT in China earlier this year, and as there is no server there right now, I redirect the DNS queries to Canada. The latency of the connection is very high (the government has to filter everything first afterall), so this reduces the effective internet speeds. I think my users there would see a good improvement if they could use the FGT first and the server in Canada as the secondary DNS.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors