Hello,
How fortigate DNS setting should be configured when there is a central AD DNS server in network, all pc computers get DNS from AD DNS server, so I configured Fortigate DSN to point to AD DNS server, and on domain DNS server I configured forwarder to 8.8.8.8 - it this good?
I thought to configure in different way, I mean, point AD DNS forwarder to Fortigate IP, and on Fortigate DNS set any public DNS servers, but I couldn't configure it, I had not internet. I don't know how to configure ipv4 policy from AD DNS server to Fortigate itself, and without that as I said my all computers did not have internet access.
Please advice me, thanks.
Solved! Go to Solution.
I would personally make FortiGates (and any other devices that require DNS) to utilize internal DNS Servers. Let those internal DNS servers then forward out to Google, Cloudflare, or whatever external DNS service of your choice.
Mike Pruett
I agree with Mike that it's generally better to point your FortiGate at your internal AD/DNS (under Network > DNS) so that internal names resolve properly. That's the simplest, lowest maintenance solution.
For example if the service you're looking to use is LDAP authentication for SSL-VPN, while you can technically get up and running just using an IP address for insecure LDAP, you should really be using secure LDAPS and server verification which relies on correctly configured internal name resolution and certificates (imported from your AD CA): https://www.fortiguard.com/psirt/FG-IR-19-037
Tip: if you're having trouble getting network drives mapped for VPN clients and they can't ping servers by their short names, make sure you've got your internal DNS suffix set in your VPN config: For SSL-VPN: set dns-suffix = <internal domain suffix e.g. domain.local or int.domain.com>
For IPSec VPN:
set domain = <internal domain suffix e.g. domain.local or int.domain.com>
Russ
NSE7
Settings vary according to the network needs and requirements. Most frequent set up is local hosts are pointed to AD as DNS, while Fortigate has Google/Fortiguard/Local ISP as DNS servers, Security Policy allows just AD to go out on DNS ports.
The set-ups you tried seem to me overly complex without any benefit to the network or users.
OK, in your first suggestion you set then as Forwardes in AD DNS any public DNS service, like Google or Cloudflare?
But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.
Tutek wrote:But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.
One of the reasons NOT to use internal names of the resources in a firewall - use IP addresses only.
but I have to, I have services which working only on domain name. And I don't know how to resolve this issue.
I would personally make FortiGates (and any other devices that require DNS) to utilize internal DNS Servers. Let those internal DNS servers then forward out to Google, Cloudflare, or whatever external DNS service of your choice.
Mike Pruett
That would be a good idea if your DNS servers are not behind an IPsec connection. In my case, branches contact HQ via IPsec for HQ local domain resources like an intranet. They need access to the internet if the IPsec goes down for some reason. So you would need split DNS, which fortigate does not seem to support in a easy way like other firewalls/routers.
Tutek wrote:but I have to, I have services which working only on domain name. And I don't know how to resolve this issue.
What services for example?
I agree with Mike that it's generally better to point your FortiGate at your internal AD/DNS (under Network > DNS) so that internal names resolve properly. That's the simplest, lowest maintenance solution.
For example if the service you're looking to use is LDAP authentication for SSL-VPN, while you can technically get up and running just using an IP address for insecure LDAP, you should really be using secure LDAPS and server verification which relies on correctly configured internal name resolution and certificates (imported from your AD CA): https://www.fortiguard.com/psirt/FG-IR-19-037
Tip: if you're having trouble getting network drives mapped for VPN clients and they can't ping servers by their short names, make sure you've got your internal DNS suffix set in your VPN config: For SSL-VPN: set dns-suffix = <internal domain suffix e.g. domain.local or int.domain.com>
For IPSec VPN:
set domain = <internal domain suffix e.g. domain.local or int.domain.com>
Russ
NSE7
Tutek wrote:OK, in your first suggestion you set then as Forwardes in AD DNS any public DNS service, like Google or Cloudflare?
But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.
See if it works for you
(dns-database) # show config system dns-database edit "internal" set domain "demo.local" config dns-entry edit 2 set type MX set hostname "mail" next edit 3 set hostname "mail" set ip 192.168.80.10 next edit 4 set hostname "www" set ip 192.168.80.11 next end set contact "root@demo.local" next end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.