Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
akabarasif
New Contributor III

How to config Branch office Firewall if the DNS server on Head office?

Hi,

i am facing some delay when browsing websites, i did some troubleshooting and found that the DNS is causing delay.

the problem is on the branch office an DNS and other servers reside on Head Office. 

i come to know that there is a DNS server in firewall that can solve the problem. any internet traffic directly go from firewall and other servers with user AD DNS.

please advice the configuration steps.

 

UPDATE: branch office has internet, headoffice also has internet, AD DNS forwarder is forwarding DNS traffic to head office internet

6 REPLIES 6
gfleming
Staff
Staff

It sounds like you want to incorporate split DNS. Whereby local domain resolution occurs at your central internal DNS server and all other traffic gets resolved by public DNS resolver on internet local to the branch offices.

 

OK so first of all I'm assuming you have no local DNS servers (such as RODC or similar) at the branch, based on your description. So best course of action is to create a slave zone to your AD DNS on the Firewalls. This will sync all DNS info from AD server and resolve it locally on the FortiGate for your branch clients.

 

Alternatively you can create a master zone on the branch Fortigate for your internal domain name and just set it to forward all queries to your central DNS server.

 

Then configure the Fortigate's own DNS servers to be whatever you want. You can use 9.9.9.9 or any other public resolver.

Cheers,
Graham
Sheikh
Staff
Staff

 

You might also achieve this by enabling and configuring split DNS on the branch FortiGate firewall. At first you need to enable DNS Database in "Feature Visibility" of FortiGate. 

Login to FortiGate>>>>System>>>Feature Visibility>>>DNS Database. After it is enabled, then go to DNS Servers under Network in FortiGate. Then you need to configure DNS service and attach it to an Interface. Please ensure to check "Recursive". You can/may also apply DNS filter on it.

 

After that you need to configure DNS Database and add your local DNS Zone and Domain name. As branch FortiGate is not a the master DNS for your internal DNS Zone on active directory, so you need to select type as "Slave". Enter the required information and click OK. 

 
You may need to create a policy "or you may already have" to allow communication from the remote branch office network to your domain controllers in Site A. If the FortiGate is also acting as a DHCP server for your Branch network, then you might need to select "Same as Interface IP" for DNS Server under Network interface.

you will also need to perform Windows DNS zone transfer to the FortiGate DNS database.


Under the DNS Database you can configure and put public DNS servers for non-domain lookups in the "Forwarder" section.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
akabarasif
New Contributor III

Yes, i dont have local DNS and here is the config i have done, i have no idea which interface i have to use RESURCIVE, please advise on the following config.

All the machines has DNS for HO AD 10.10.10.12, 10.10.10.13

DNS setting on firewall

akabarasif_0-1676136027565.png

LAN forward to DNS is by default when enable this feature

the interface where AD is ISP VPN Interface, 

DSL interface is current firewall directly connected internet

Lan is LAN

akabarasif_1-1676136073553.png

akabarasif_2-1676136193269.png

 

not sure if there is a correct config.

i dont want to DNS entries for server which is in HO. 

i just want user fortigate DNS for internet and rest of the DNS traffic should forward to AD DNS

 

gfleming
Staff
Staff

Set your DNS Service on LAN interface to be recursive. 

 

Set your company.com DNS Database options as follows:

- authoritative "disabled"

- DNS Forwarder: your AD servers

- DNS Zone: any name you want to give this zone (it can be same as domain name)

- DOmain Name: the actual internal domain name suffix you want forwarded to your AD servers

 

YOu can also set the DNS Database as a secondary to your AD servers and it will receive all of your DNS entries to be hosted and resolved by the Fortigate but will result in more configuration work

Cheers,
Graham
akabarasif
New Contributor III

i tried as you mentioned @gfleming , but how to make sure its working?

i am still seeing delay ,

gfleming

Are your remote branch endpoints configured to use the FortiGate as the DNS server?


please set the endpoints to use FortiGate as the DNS server.

 

You'll also need to ensure you've enabled DNS service on the appropriate ForitGate interface

gfleming_0-1677000935203.png

 

Cheers,
Graham
Labels
Top Kudoed Authors