Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheUsD
New Contributor III

Fortigate as DNS server

Is it possible to make the following happen on a FortiGate?

DNS 10.16.0.1 would be an internal DNS server on the Fortigate 80F. Clients would be able to resolve other local clients using the Fortigate. If the DNS is a public DNS, then the FortiGate would use Fortiguard DNS servers to resolve. I've had this setup before on other devices such as Ubiquiti (EdgeRouters), SonicWalls, NetGear devices but for some reason the only documentation I can find is if I want to point my clients to an internal Windows/Linux DNS server.

Thanks in advance

4 REPLIES 4
lobstercreed
Valued Contributor

I've never done it, but I'm pretty sure it's possible.  Have you checked out this cookbook?

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server

 

TheUsD
New Contributor III

lobstercreed wrote:

I've never done it, but I'm pretty sure it's possible.  Have you checked out this cookbook?

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server

 

So I should have followed up with this sooner...I ended up just calling support and getting their feedback:

 

"You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain your entries (master DNS server), or use it to refer to an outside source (slave DNS server)." ...Answered the question but I had to hear it from them.

 

Basically, if you want to enter in ALL your DNS entries manually then it can be your local DNS server which is no good if you have DHCP clients in a subnet or vlan with DHCP turned on. However, because the FortiGate is still considered a FIREWALL (though it is basically a router) and thus does not have an internal auto DNS population database functionality. Therefore, you will still need an Windows / Linux DNS server. Honestly, I think this is a huge off-set and a complete miss on FN's part. With so much power and dedicated resources combined with a superior GUI/CLI, I cannot understand why the drew the line at this having an internal DNS server that has the capability to create A records on its own. Even the small fries like SonicWally, EdgeRouter (Ubiquiti), Netgear and Linksys can accomplish this. Anyways, I am considering the subject closed and sadly resolved.

sw2090
Honored Contributor

hm Fortigate does have both DNS forwarder and DNS Database. So what you want should be possible.

You can even populate a specific DNS via FGT DHCP Server on an interface. It just needs to be reachable from there of course to make sense ;)

 

Beware: that is not a good idea if you run an AD. In AD DNS should be on the DC always!

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
lobstercreed
Valued Contributor

Your initial post didn't say anything about dynamic population of the database, just resolving internal clients.  THAT the FortiGate can definitely do.

 

TheUsD wrote:

 

 

Honestly, I think this is a huge off-set and a complete miss on FN's part. With so much power and dedicated resources combined with a superior GUI/CLI, I cannot understand why the drew the line at this having an internal DNS server that has the capability to create A records on its own. Even the small fries like SonicWally, EdgeRouter (Ubiquiti), Netgear and Linksys can accomplish this.

I'm actually really surprised that those other products are accomplishing that for you.  As far as I knew you pretty much have to have AD (where clients register themselves in DNS) to get the functionality you're looking for.  So I would be more "impressed" I guess that those others can do it than disappointed that Fortinet can't.  The product really isn't meant for that.

Labels
Top Kudoed Authors