Could anyone post an example to configure a Fortigate with two interfaces, inside and outside, the rules and objects to intercept all sessions from inside to any public server port (let's say UDP:53) and send them instead to only one owned server, same port (UDP:53)? Something like getting all the public DNS queries and diverting them to our own DNS through the outside interface...
I remember that the Cisco ASA "fix" this with a NAT rule that could get rid of several destinations and DNAT them to only one, with SNAT also for inner hosts.
Do you actually have devices that insist on using their hard-coded DNS server IPs and refuse to use the DHCP-provided one(s)?
From limited personal experience, I've had a couple devices that always tried to use "their own" DNS server, but when blocked, always fell back to using the DNS server from DHCP. (and frankly, I wouldn't want a device in my network that refuses to use my DNS servers)
I imagine you could make this transition/research fairly painless by logging the outgoing DNS traffic and then gradually moving these devices to a blocking rule, and finding out how they react.
I agree with you, there are several ways to manage this situation, forcing or migrating users to use the servers that are intended to serve these clients. But, when I decided to go the "soft" way, just intercepting these queries and passing them to our own server,
is when I discovered I couldn't find a way of trapping the queries to *any* DNS and forwarding them to my own DNS. And that's the origin of this question...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.