Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Evolutionise
New Contributor

DNS reverse lookup issue

Hello, I am using a Fortigate 100D with FortiOS 5.0. When im looking at Dashboard - Top Sources there is a number of IP addresses listed which should be resolving to the FQDNs of the computers. It seems to work for some addresses but not others - cant see any pattern at this time. I connected a non-domain computer to the network and queried DNS servers for the IP addresses and they returned the correct names. I have also checked the security permissions on the DNS records so its not a security issue. The PTR records exist on all DNS servers so no DNS replication issues. Is there a way I can execute a command for the FortiOS CLI to query a name server for the PTR record of an IP address? I have come across material online for fortimail where its as easy as:
execute nslookup name 192.168.1.15
With the DNS settings under Network, it was configured to use: Primary DNS Server: External DNS Serv1 IP Secondary DNS Server: External DNS Serv2 IP Local Domain Name: domain.local Im considering changing this to Primary DNS Server: Internal DNS Serv1 IP Secondary DNS Server: Internal DNS Serv2 IP Local Domain Name: domain.local Would this be the reason why its only resolving some IPs to names?
5 REPLIES 5
Frosty
Contributor

Others may have different views to mine and I' m a long way from expert. Having said that, I would never directly configure any of my devices to use an External DNS server. I would use only Internal servers, but then I would configure those to Forward requests on to External DNS if they cannot be resolved by the internal server.
ede_pfau
SuperUser
SuperUser

Intermittent resolving of logged IP addresses is not uncommon to my experience. I could not see any reason why your DNS config (which resembles mine) would influence this. I suspect a timeout of the reverse query to occur while the log record was written. So cached DNS replies would make it into the logs almost always. But then again, there are bigger issues. @Stephen: I think the OP uses the FGT as a gateway device and DNS for the LAN behind it, in recursive mode. This would be (IMHO) the most common usage, with the System DNS being the ISP' s DNS addresses. I would rather have the DNS on a Fortigate than on some (MS Windows) internal server even if only internal hosts would have access to it. And frankly I cannot see any security issue with that. As long as the internal hosts are not configured to directly query an external DNS.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rwpatterson
Valued Contributor III

The DNS servers configured on the FGT need to point to the DNS server(s) that holds the entries for the local machines. External servers won' t have that information. If they did, security would be non-existent.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Evolutionise

@rwpatterson
The DNS servers configured on the FGT need to point to the DNS server(s) that holds the entries for the local machines. External servers won' t have that information. If they did, security would be non-existent.
I' m not expecting external DNS servers to have PTR records for internal hosts, that would be daft The help for this section of the firewall provides the following information
DNS server addresses are configured by going to System > Network > DNS. Here you specify the DNS server addresses. Typically, these addresses are supplied by your ISP. An additional option is available if you have local Microsoft domains on the network, by entering a domain name in the Local Domain Name field. In a situation where all three fields are configured, the FortiGate unit will first look to the local domain. If no match is found, a request is sent to the external DNS servers.
To Clarify: Client computers contact the local internal MS DNS servers (Domain Controllers) which have forwarders configured to forward external queries to external DNS servers. Clients are not having any DNS issues - Forward/reverse and external queries work without issue so this is somewhat irrelevant to the problem. The problem is that the Fortinet firewall is not resolving the IPs of client systems back to names from the internal DNS servers. I will change the DNS server IPs on the Firewall to point to the internal DNS servers and see if the situation improves. Ideally if I could run a reverse DNS lookup from the CLI of the firewall, it would allow me to see if its having a problem resolving the IPs to names and what the problem is. Strange that the FW resolves some IPs but not others. If I run a reverse DNS lookup from a client computer for any of the IPs listed on the FW Top Sources log, the name is returned.
Evolutionise
New Contributor

I set the Fortigate' s DNS entries to point at the internal DNS servers. I also enabled debug logging on the internal DNS servers with a filter for the Fortigate' s IP and so far it has not made a query for a PTR record, theres a few entries for A records. I also had a good look through the CLI and further searching on Google but it seems its not possible to do name resolution queries from the CLI, e.g. to request the PTR for an IP. Will open a case with Fortinet to find out why the reverse name resolution seems to be working intermittently.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors