Hello,
I would like to resolve internal hostnames on my network, and I read on this Forums that it would suffice to set your internal DNS as the primary DNS server on the Fortigate unit in network configuration.
BUT, I would also like to have the Fortigate be the first DNS uplink for my internal DNS server, so I could use Fortiguard DNS servers to monitor and block bad hosts (malware, C&C, etc) out there.
So, what would be the recommended practice to having both internal hostnames correctly resolved AND funnel all DNS traffic through Fortinet DNS service (assuming there actually is a way to do this)?
PLAN B: is there a way to pre-load all my internal hostnames (a la \windows\system32\drivers\etc\hosts) on my Fortigate unit? Is there an editable HOSTS file of some sort?
Solved! Go to Solution.
hi,
and welcome to the forums.
To make it short, I shamelessly cite from my recent post on stackexchange.com (https://networkengineering.stackexchange.com/questions/45399/fortigate-50e-conditional-forwarding/:(
----------------------------- For local name resolution you need to set up 3 things: 1- a DNS zone 2- at least one A record in that zone 3- a DNS on the interface where your internal hosts are A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in config system dns-database:
This zone only holds records for your private hosts and thus it must be 'authoritative'! Next, the record(s). They are created in the config dns-entry section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate. Then you set up a DNS for your hosts to use, here on the 'lan' interface:
config system dns-database
edit "MyCompanyZone"
set status enable
set domain "mycompany.local"
set type master
set view shadow
set ttl 14400
set authoritative enable
config dns-entry
edit 1
set status enable
set type A
set ttl 0
set hostname "namea"
set ip 192.168.234.10
next
edit 2
set status enable
set type A
...
end
next
end
end
As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS. Now you can resolve a local hostname like 'namea.mycompany.local'. At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask. -----------------------------
config system dns-server
edit "lan"
set mode recursive
next
end
# explanation for the mode parameter:
# set mode
recursive Shadow DNS database and forward.
non-recursive Public DNS database only.
forward-only Forward only.
This is setting up your FGT as your local DNS. If you want to continue to use your (? Windows) DNS just create a recursive DNS on the 'lan' interface, and specify your FGT's LAN address as the forwarding target of your local DNS. Set the FGT system DNS to one of the FortiGuard servers.
There are pros and cons with the FGT nameserver. Pro: centralized management, easy to maintain, no need to run a dedicated DNS on the LAN. Contra: no dynamic DNS entries, reverse lookup zone takes some nifty configuration, no import of host file. YMMV.
Hopping on the back of the prior answer, I have written a couple of scripts to convert Windows and BIND DNS zone files to Fortigate importable data. I do not plan on doing that for a host file. Not enough bang for the buck. Follow the link in my signature if you are interested in the zone file option.
Bob
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
hi,
and welcome to the forums.
To make it short, I shamelessly cite from my recent post on stackexchange.com (https://networkengineering.stackexchange.com/questions/45399/fortigate-50e-conditional-forwarding/:(
----------------------------- For local name resolution you need to set up 3 things: 1- a DNS zone 2- at least one A record in that zone 3- a DNS on the interface where your internal hosts are A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in config system dns-database:
This zone only holds records for your private hosts and thus it must be 'authoritative'! Next, the record(s). They are created in the config dns-entry section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate. Then you set up a DNS for your hosts to use, here on the 'lan' interface:
config system dns-database
edit "MyCompanyZone"
set status enable
set domain "mycompany.local"
set type master
set view shadow
set ttl 14400
set authoritative enable
config dns-entry
edit 1
set status enable
set type A
set ttl 0
set hostname "namea"
set ip 192.168.234.10
next
edit 2
set status enable
set type A
...
end
next
end
end
As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS. Now you can resolve a local hostname like 'namea.mycompany.local'. At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask. -----------------------------
config system dns-server
edit "lan"
set mode recursive
next
end
# explanation for the mode parameter:
# set mode
recursive Shadow DNS database and forward.
non-recursive Public DNS database only.
forward-only Forward only.
This is setting up your FGT as your local DNS. If you want to continue to use your (? Windows) DNS just create a recursive DNS on the 'lan' interface, and specify your FGT's LAN address as the forwarding target of your local DNS. Set the FGT system DNS to one of the FortiGuard servers.
There are pros and cons with the FGT nameserver. Pro: centralized management, easy to maintain, no need to run a dedicated DNS on the LAN. Contra: no dynamic DNS entries, reverse lookup zone takes some nifty configuration, no import of host file. YMMV.
Hopping on the back of the prior answer, I have written a couple of scripts to convert Windows and BIND DNS zone files to Fortigate importable data. I do not plan on doing that for a host file. Not enough bang for the buck. Follow the link in my signature if you are interested in the zone file option.
Bob
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thanks for your quick and insightful reply. Plenty of detailed information about local DNS management here - although I wish to keep my current DNS server active, as it's also a Domain Controller and I need it.
I already forwarded my DNS requests from my DNS server (Windows 2016) to the Fortigate, and I can see DNS queries coming from that Win machine and going out.
In the meantime I had a look at the FortiView section of the firewall, and to my great surprise, it looks like local names are being resolved, there - I don't know how this is possible, as the FGT itself is pointed to "Fortiguard Servers" (external, public IPs) for its name resolution needs.
When I see or download a report from FortiCloud, instead, all I can see are the local IPs, never the hostname.
So, it appears as the FGT 60E has a way to resolve hostnames of its own, even if not pointed to the local DNS server, but is not able to pass this information up to FortiCloud, where it could greatly enhance the clarity of reports.
Anybody using FortiCloud reports can confirm or deny that local hostnames are actually resolved there, and if yes, with which DNS configuration this result is being obtained? Thanks
So, clients should ask the WinSrv, the WinSrv should forward to the ISP (not! the FGT), FGT system DNS should be the WinSrv. No FGT DNS server on the LAN port.
This way, the only authoritative NS for the local domain is the WinSrv, for both clients and the FGT.
That could maybe do... but, are we loosing the DNS filtering capabilities of the Fortigate unit, if we configure it this way?
Or, is DNS filtering / blocking implemented elsewhere, and the FGT does not need to forward all DNS traffic to Fortinet servers via its own DNS configuration (i.e. "Fortiguard Servers" label in the DNS configuration section) to analyze it? (see attached image)
TechSupport4415 wrote:I would like to know, as well, if in this scenario we would loose the DNS filter feature.That could maybe do... but, are we loosing the DNS filtering capabilities of the Fortigate unit, if we configure it this way?
Or, is DNS filtering / blocking implemented elsewhere, and the FGT does not need to forward all DNS traffic to Fortinet servers via its own DNS configuration (i.e. "Fortiguard Servers" label in the DNS configuration section) to analyze it? (see attached image)
Plus that, I would like to know if there is a way to use a conditional forwarding for the queries for the Fortigate itself.
Example: Create a policy where destination is a FQDN address like host.myinternaldomain.abc. For those queries (and in this case, the request from the Fortigate to resolve this hostname and then decide to permit the traffic), use my internal domain instead of public ones.
For DNS filtering to work, Fortigate has to see both - query for the DNS record, and answer to it. Which way and who does it is not of interest to Fortigate. If client in LAN queries internal DC as DNS, which in turn goes to ISP/Google DNS and queries on behalf of LAN's client, the FGT would see this query (yes, coming from DC) and if found bad, would replace in the answer IP with the IP of the Fortiguard, then pass this answer to the DC. So, it would still work (DNS filtering) just fine.
BTW Leftovers from older FGT versions (like 4.0?) that you had to have Fortiguard DNS servers set for the FGT itself for FNS filtering to work - not any more. Today you can set both, for LAN clients and FGT itself ANY dns you like, the DNS filtering will work just fine.
Yurisk wrote:Hi, Yurisk!For DNS filtering to work, Fortigate has to see both - query for the DNS record, and answer to it. Which way and who does it is not of interest to Fortigate. If client in LAN queries internal DC as DNS, which in turn goes to ISP/Google DNS and queries on behalf of LAN's client, the FGT would see this query (yes, coming from DC) and if found bad, would replace in the answer IP with the IP of the Fortiguard, then pass this answer to the DC. So, it would still work (DNS filtering) just fine.
BTW Leftovers from older FGT versions (like 4.0?) that you had to have Fortiguard DNS servers set for the FGT itself for FNS filtering to work - not any more. Today you can set both, for LAN clients and FGT itself ANY dns you like, the DNS filtering will work just fine.
Thanks for your reply. Following what you explained, I would need only to use the DNS Filter profile on the policies that permits my internal DNS servers to go to the public DNS servers. That, at least, would prevent my malicious internal queries to be resolved in a bad way. At least in a simply scenario.
The best practice should be to filter this queries before the client reaches the internal DNS server, I think.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.