Good evening everyone,
i am unable to correctly configure the integration of an fgt100e on active directory... in particular i am referring to DNS filtering.
With my current configuration in the DNS filter logs i don't see the origin of the requests from the clients connected to the domain, i always see that all dns requests come from the domain controller.
The domain is still old type like mycompany.local and we recently introduced 365 and added a mycompany.com upn, a detail not to be underestimated (iI think).
the fortigate is gateway of the main network with the ip address 192.168.1.254, the main domain controller is 192.168.1.1. and the secondary 1.2, both Windows Server 2022.
the connected PCs (w10/w11) use two DNS 1.1, 1.2.
I've tried everything now, here's the first doubt.
dns forwarders on domain controllers, do i have to enter the IP address of the fortigate?
use root hints checked or not? (i think no).
my goal, if it is easily manageable, would be to block the use of public DNS from the internal network by passing everything through the fortigate...
example img:
In the Fortigate DNS logs i find these damned unknow query types ...
and while i was writing it also occurred to me another problem regarding other dns error like _ldap._tcp.site1._sites.domaincontroller1.mycompany.local , query type SRV, blocked (implicit deny).
this error appears when doing a test, using fortinet as a dns server on a win client, i think it concerns _msdcs.mycompany.local. I was thinking about the zone transfer... I have doubts about this too.
correct?
Furthermore, the fact that we have currently added the mycompany.com upn to the mycompany.local domain worries me about a possible DNS leakage... is it real or just my fantasy?
if someone is willing to help me even by paying for the service, there is no problem.
I have a headache... :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What is the main goal here, you just want to apply DNS filter for end hosts?
The simplest way I'm thinking of is to leave the public forwarders configured in the DCs, configure FGT to use the DC as primary DNS servers, configure the DHCP scopes to give the GW as DNS to end host and filter the DNS traffic of end hosts only. If you don't want to add any domain or DNS records on the FGT you can leave it to forward all the requests to the DC:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.