I can't find anything on this by searching, but is it possible for another Fortigate to pull down DNS records from a master DNS database on another Fortigate?
Basically I have a 300c running a master DNS database (this works fine, resolves as intended) at my main location. I want my Fortigates (80d, but varies) at secondary locations to pull down these records so that I don't have to enter them all manually at 20+ sites.
On my 80d I created a new DNS database, set it to 'slave', view 'shadow', the same dns zone as my master, the same domain name, gave it the IP of my 300c master, authoritative to 'disable'. The number of entries never populates and I can't find a CLI command to try and 'download' them, nor does a lookup ever resolve this way. However, if I change the system DNS, or change the DNS handed out to DHCP clients, to my master it will resolve fine. So DNS is working, I just don't want to have 300 pc's pinging back to 1 device for every single DNS lookup.
On my 300c master I set type to 'master', view to 'shadow', hostname the hostname of the devices, authoritative 'enabled' (tried disabled, didn't matter).
If this doesn't work I'll go about it another way. There is no AD or other authentication currently, hence why the attempts to use the Fortigate in the meantime.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think your slave might be looking up the "zone" by dns to find the master and attempting the zone-xfer. Is your zone internal zone only ( I'm assuming yes since you stated shadow)
What's your " set domain xxxxx set as? is the set defined ip-master ipv4 address correct?
Is the interfaces correct ?
What happen when you issues a diag test application dnsproxy 9 or a diag test application dnsproxy 8
I would also set a diag sniffer packet any "host x.x.x.x" where x.x.x.x == the master and run the above commands
PCNSE
NSE
StrongSwan
emnoc wrote:I think your slave might be looking up the "zone" by dns to find the master and attempting the zone-xfer. Is your zone internal zone only ( I'm assuming yes since you stated shadow)
What's your " set domain xxxxx set as? is the set defined ip-master ipv4 address correct?
Is the interfaces correct ?
What happen when you issues a diag test application dnsproxy 9 or a diag test application dnsproxy 8
I would also set a diag sniffer packet any "host x.x.x.x" where x.x.x.x == the master and run the above commands
Thanks for your response! I admit to not knowing very much about DNS (although quickly learning trying to diagnose this!), so I'll try to answer as best I can.
If my slave is looking up the "zone" by DNS, I can't figure out how exactly that would work? I can't exactly enter in a record that tells my unit the FQDN of my master, because then the slave/master dns databases clash. This may not be what your asking about though. And yes this zone is internal, I honestly am not sure if the zone name really matters? I've not had to set it before.
Not sure I understand this exactly. My domain (lets use test.example.org) is set the same on both units, and yes the IP of the master is correctly set on my secondary (they can ping each other ok).
When running those commands I can get responses on port 53 on my master to port 1211 on my secondary, and vice versa. Also get ack, psh, fin, packets.
Since the slave pulls from the master, I would 1st
1: reload the DB on the salve
2: run a pcap during the above with the filters set "src host x.x.x.x and port 53"
x.x.x.x = master ipv4 addr
3: see if a DNS transfer request comes thru
4: I would query the master zone.db and review all NS records ( unix host cmd host -v -t ns domain.com x.x.x.x )
x.x.x.x = the master dns-server address and interface on the master
5: the interface that you expects axfer to happen must have and grant access, so #4 could probably use a diag debug flow
Check those out and see what happens.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.