Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daccu
New Contributor

DNS resolution over site-to-site VPN

I have a site-to-site VPN between two Fortigates at our main office and a satellite office. The main office has dual AD-integrated DNS servers and the remote office does not have any servers at all and only houses 6 people. What is the best way to handle local AD name resolution for the remote office? I tried setting up a slave DNS server in the Fortigate but I couldn' t get it to pull the zone file from our AD DNS server. I can add the main site' s DNS server to the remote office, but I don' t want DNS resolution to fail for everything if the VPN goes down.
4 REPLIES 4
ede_pfau
Esteemed Contributor III

You have these options: - local DNS on FGT with only local names and the most relevant name records for HQ' s servers; forward the rest to ISP DNS - local DNS on FGT, only local names, forward to HQ' s DNS - specify HQ' s DNS in DHCP config (no usage of FGT) in FortiOS up to and including 4.3 In FortiOS 5, support for zone transfer was included (config might be limited to CLI).

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
daccu
New Contributor

Thanks for the reply. I am using FortiOS 5 and have tried setting up a slave DNS server and the zone transfer but can' t get the FortiGate to pick anything up from the AD DNS servers. I added the FortiGate' s LAN IP to the AD DNS properties be an allowed address to send the zone files to. This seemed like the best option to me, what do you think? I also thought about adding the HQ' s DNS server to the local DHCP but was concerned about unnecessary VPN traffic and laggy Internet at the remote office if it had to process all DNS queries over the VPN. Also I didn' t see a spot to enter a secondary DNS, which would seem necessary so that DNS doesn' t completely break if the VPN goes down. If all else fails I will just create a local DNS on the remote Fortigate and just add the most relevant DNS records.
ede_pfau
Esteemed Contributor III

I' ve got no experience with DNS zone transfer to a FGT, sorry. You can add up to 3 DNS and up to 2 WINS servers in the CLI.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
ede_pfau
Esteemed Contributor III

Just as a follow-up (I know it' s rather late...): In order to have DNS zone transfers from a local DNS to your Fortigate' s DNS, you have to specify the DNS' s IP address in the DNS zone configuration on the FGT via CLI:
 config system dns-database
 edit <zone-string>
 set allow-transfer <ipv4_addr>
 end

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors