Hi all!
I will try to keep this as clear as possible but I can't keep it short to be able to explain the full situation.
In short: Do DNS zones in the DNS database in a FortiGate take precedence over 'Forward to System DNS' when both System DNS servers are set to external hosts?
Extended version:
All VLANs in our office have their one and only DNS server pointed to our Fortigate. Recursive DNS is set up for three vlans (10,20,30). One vlan is set to 'Forward to System DNS' (vlan 40). Both system DNS servers point to public dns servers.
Two DNS-zones have been set up with forwarders to DNS-servers in our DC (over ipsec). One zone is for company.local, matching the primary zone for the domain controllers, another zone matches a public domain, company.nl, which is used for a few services that are available both internally and externally. Among those services is our monitoring server (monitoring.company.nl). This server is fully available over ipsec for management purposes and partly available via internet for monitoring purposes (multiple sites).
The subnets of vlan 10, 20 and 30 are included in the ipsec tunnel, whereas vlan 40 is not.
When clients in the vlans 10,20,30 resolve monitoring.company.nl, they receive an internal IP address, which is correct. This traffic then goes over the ipsec connection.
When the server in the separate vlan (40) tries to resolve monitoring.company.nl, it also receives the internal IP address while 'forward to system dns' is set for that vlan. The same behavior occurs when I try to resolve that address on the fortigate itself.
For now, the issue is solved by adding a rule to the local hosts file of the server in vlan 40 but I'm not a big fan of that.
I know there are multiple ways to solve this, like adding the subnet of vlan 40 to the ipsec connection or installing a separate probe at the server in vlan 40, but this behavior just started this morning after working fine for about 6 weeks.
I tried a couple of things with the 'diagnose test application dnsproxy' command or removing the zone company.nl, but then all clients in vlan 10,20,30 receive the external ip address.
Am I missing something here or is the 'Forward to system DNS' not as clear as it seems?
Thanks!
FortiGate v7.0.12
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Bryan,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi @nl-bryan,
FortiGate will check its database before 'Forward to system DNS'. If you don't want VLAN 40 to resolve internal IPs, you can set DNS servers of VLAN40 to be the public DNS servers instead of FortiGate.
Regards,
That's what I figured, but this is something to think about right? I'm not in favor of pushing external DNS-servers to internal machines nor is it a best practice to alter the local hosts file. So a third option is to set up another internal DNS-server but yeah..
It's not a big deal in this case but I can imagine there are cases where you would like to have one vlan to resolve to an internal address and another vlan (e.g. guests) to go the other way around.
I'd say 'forward to system DNS' should skip the local database.
This statement may not be correct, what you explained is the Recursive mode behavior.
As also mentioned in the admin guide :
Forward to System DNS: The local DNS database is bypassed and all queries are forwarded directly to the system’s DNS server. This is beneficial when you need to rely solely on system-level DNS resources for resolving queries.
Basically this setup should work as it was 6 weeks ago, did you do any recent upgrade or configuration changes?
Thanks for your reply!
We are not aware of any recent changes. Besides, the settings seem pretty clear: System DNS are both set to use external servers, and the Forward or Recursive setting is set per vlan. I do have some additional information to the original post, and I will share some relevant config.
When I execute the following steps, I get different results on machines in various vlans:
1: Clear the dns cache on the FortiGate via diagnose test application dnsproxy 1 and also do ipconfig /flushdns on both my workstation (vlan 30) and the server in vlan 40.
2: Lookup 'monitoring.company.nl' on my workstation. Result: Internal address
3: Lookup 'monitoring.company.nl' on the server. Result: Internal address (not reachable).
4: Repeat step 1.
5: Lookup 'monitoring.company.nl on the server. Result: External address.
6: Lookup 'monitoring.company.nl' on my workstation. Result: External address.
Another Vlan with 'forward to system dns' set, receives exactly the same result and so does 'execute ping monitoring.company.nl' do on the fortigate.
Config output:
diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
1.1.1.1:853 vrf=0 tz=0 encrypt=dot req=231 to=0 res=230 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
1.1.1.1:443 vrf=0 tz=0 encrypt=doh req=336 to=0 res=332 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
9.9.9.9:853 vrf=0 tz=0 encrypt=dot req=30 to=0 res=29 rt=29 ready=1 timer=0 probe=0 failure=0 last_failed=0
9.9.9.9:443 vrf=0 tz=0 encrypt=doh req=243 to=0 res=240 rt=8 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
173.243.142.53:853 vrf=0 tz=60 encrypt=dot req=174 to=0 res=174 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
139.138.105.53:853 vrf=0 tz=60 encrypt=dot req=274 to=0 res=274 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
173.243.140.53:853 vrf=0 tz=60 encrypt=dot req=156 to=0 res=156 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
ALT servers:
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
vfid=0, interface='VLAN40', ifindex=32, forward-only, DNS-Filter1
vfid=0, interface='VLAN30-wifi', ifindex=33, recursive, DNS-Filter1
(...)
DNS search domain:
vfid=0 vrf=0 domain=kg.local
(...)
========================
FW01 # show system dns
config system dns
set primary 1.1.1.1
set secondary 9.9.9.9
set protocol dot doh
set domain "company.local"
end
========================
config system dns-database
edit "company.local"
set domain "company.local"
set ttl 900
set authoritative disable
set forwarder "192.168.100.1" "192.168.100.2" (ipsec to DC)
set source-ip 192.168.10.254 (fortigate, Lan interface)
config dns-entry
edit 1
set hostname "FW01"
set ip 192.168.10.254
next
end
set primary-name "FW01"
next
edit "company.nl"
set domain "company.nl"
set ttl 900
set authoritative disable
set forwarder "192.168.100.1" "192.168.100.2"
set source-ip 192.168.10.254
next
end
========================
I also tried removing the DNS-filter from the vlan 40 interface and enabled DNS over UDP, but that didn't seem to help.
I'm happy to share more output if needed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.