Hi !
After trying to find a solution by myself, and googling as much as I could, I can't really find help on how to proceed with our infrastructure.
We have a FortiGate 601E serving as our main DNS, and we recently added 2 Windows Active Directory, that we would like to use also as a secondary DNS.
So what we did in our FortiGate is to create a new zone for our domain, non Autoritative, with both DCs as the DNS Forwarders. Also adding A entries with the server names and IPs.
Up to that, it worked fine for most Windows machine, with the Fortigate as the main (even only) DNS, they can join the domain and communicate without issues.
Now we are trying to create a service on a Linux server, with an LDAP link to our DCs. And we have two points that we can't make work :
- If a Linux server has only our Fortigate as DNS, it won't be able to resolve any of our DC domain DNS names. We can tinker it out and make it work by manually forcing a DC DNS inside the configuration, but it would be more optimal for us to let it work trough Fortigate's DNS. Is there anything we could miss ?
- To connect to our LDAP, we do need to input a single domain IP or hostname, is there any way to do some kind of load balancing / Failover trough Fortigate ?
I can of course send more information if needed.
Thanks !
Hi Greed,
Thank you for reaching out. The issue is not clear why linux server is not able to resolve therefore there is a need to findout what happens to the dns queries or are they being sent to the fortigate in the first place. I recommend to starting troubleshooting this issue is to run a sniffer on the fortigate where the filter is the ip address of the linux host and port 53 assuming no dot or doh protocol used:
# diag sniffer packet any "host x.x.x.x and port 53" 4 0 l
If you see packets back and forth between source and destination then next step is to check local traffic logs on the fortigate to verify that fortigate action is allow also a packet capture is recommended at this stage to analyze the response to the queries assuming the have been received:
- "Log&Report>Local traffic" ---- local traffic logs - filter with source and destination port
- "Network>dignostics" or "Network>packet capture>---- packet capture path on gui depending on the version of the fortios
Thank you,
saleha
Have you configured DNS server on FortiGate?
If you have configured DNS Server on FortiGate, you can use forwarders to forward DNS requests for your local domain to Windows DNS server.
This is because to connect to domain, clients sometime use NetBIOS name without including the DNS suffix. This will lead to FortiGate to not know how to resolve those requests.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.