Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate DNS with domain DNS correct configur...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate DNS with domain DNS correct configuration
Hello,
How fortigate DNS setting should be configured when there is a central AD DNS server in network, all pc computers get DNS from AD DNS server, so I configured Fortigate DSN to point to AD DNS server, and on domain DNS server I configured forwarder to 8.8.8.8 - it this good?
I thought to configure in different way, I mean, point AD DNS forwarder to Fortigate IP, and on Fortigate DNS set any public DNS servers, but I couldn't configure it, I had not internet. I don't know how to configure ipv4 policy from AD DNS server to Fortigate itself, and without that as I said my all computers did not have internet access.
Please advice me, thanks.
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would personally make FortiGates (and any other devices that require DNS) to utilize internal DNS Servers. Let those internal DNS servers then forward out to Google, Cloudflare, or whatever external DNS service of your choice.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with Mike that it's generally better to point your FortiGate at your internal AD/DNS (under Network > DNS) so that internal names resolve properly. That's the simplest, lowest maintenance solution.
For example if the service you're looking to use is LDAP authentication for SSL-VPN, while you can technically get up and running just using an IP address for insecure LDAP, you should really be using secure LDAPS and server verification which relies on correctly configured internal name resolution and certificates (imported from your AD CA): https://www.fortiguard.com/psirt/FG-IR-19-037
Tip: if you're having trouble getting network drives mapped for VPN clients and they can't ping servers by their short names, make sure you've got your internal DNS suffix set in your VPN config: For SSL-VPN: set dns-suffix = <internal domain suffix e.g. domain.local or int.domain.com>
For IPSec VPN:
set domain = <internal domain suffix e.g. domain.local or int.domain.com>
Russ
NSE7
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Settings vary according to the network needs and requirements. Most frequent set up is local hosts are pointed to AD as DNS, while Fortigate has Google/Fortiguard/Local ISP as DNS servers, Security Policy allows just AD to go out on DNS ports.
The set-ups you tried seem to me overly complex without any benefit to the network or users.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, in your first suggestion you set then as Forwardes in AD DNS any public DNS service, like Google or Cloudflare?
But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tutek wrote:But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.
One of the reasons NOT to use internal names of the resources in a firewall - use IP addresses only.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but I have to, I have services which working only on domain name. And I don't know how to resolve this issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would personally make FortiGates (and any other devices that require DNS) to utilize internal DNS Servers. Let those internal DNS servers then forward out to Google, Cloudflare, or whatever external DNS service of your choice.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would be a good idea if your DNS servers are not behind an IPsec connection. In my case, branches contact HQ via IPsec for HQ local domain resources like an intranet. They need access to the internet if the IPsec goes down for some reason. So you would need split DNS, which fortigate does not seem to support in a easy way like other firewalls/routers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tutek wrote:but I have to, I have services which working only on domain name. And I don't know how to resolve this issue.
What services for example?
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with Mike that it's generally better to point your FortiGate at your internal AD/DNS (under Network > DNS) so that internal names resolve properly. That's the simplest, lowest maintenance solution.
For example if the service you're looking to use is LDAP authentication for SSL-VPN, while you can technically get up and running just using an IP address for insecure LDAP, you should really be using secure LDAPS and server verification which relies on correctly configured internal name resolution and certificates (imported from your AD CA): https://www.fortiguard.com/psirt/FG-IR-19-037
Tip: if you're having trouble getting network drives mapped for VPN clients and they can't ping servers by their short names, make sure you've got your internal DNS suffix set in your VPN config: For SSL-VPN: set dns-suffix = <internal domain suffix e.g. domain.local or int.domain.com>
For IPSec VPN:
set domain = <internal domain suffix e.g. domain.local or int.domain.com>
Russ
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tutek wrote:OK, in your first suggestion you set then as Forwardes in AD DNS any public DNS service, like Google or Cloudflare?
But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.
See if it works for you
(dns-database) # show config system dns-database edit "internal" set domain "demo.local" config dns-entry edit 2 set type MX set hostname "mail" next edit 3 set hostname "mail" set ip 192.168.80.10 next edit 4 set hostname "www" set ip 192.168.80.11 next end set contact "root@demo.local" next end
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Uneven CPU Load Distribution on FortiGate... 11 Views
- Forticlient VPN doesn't connect after upgrade... 43 Views
- Fortigate Rugged 60F unable to HA... 152 Views
- Fortigate not showing Deny logs 460 Views
- Unreliable SSL VPN Performance and Poor... 154 Views
Labels
-
FortiGate
8,473 -
FortiClient
1,718 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
458 -
FortiSwitch
457 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
177 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1661 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.