Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mikelar
New Contributor

Split DNS-Server

I'm having issues configuring a split DNS server on a Fortigate 60D (5.2.2). This will be for a remote branch office with no local DNS server. The goal is to have DNS requests first query a public server (8.8.8.8), then query the internal server (10.1.2.3). This way the vast majority of DNS requests will be going via the internet link, with minimal requests going over an IPsec link.

 

Below is my DNS server config:

 

config system dns-server
    edit "internal"
        set mode recursive
        set webfilter-profile ''
    next
end


config system dns-database
    edit "Internal_DNS"
        set status enable
        set domain "company.domain.com"
        set type slave
        set view shadow
        set authoritative disable
        unset forwarder
        set source-ip 0.0.0.0
        set ip-master 10.1.2.3
    next
    edit "Reverse-Subnet"
        set status enable
        set domain "2.1.10-in-addr.arpa"
        set type slave
        set view shadow
        set authoritative disable
        unset forwarder
        set source-ip 0.0.0.0
        set ip-master 10.1.2.3
    next
end

 

This was taken directly from this thread, but I've been unsuccessful in getting it to work for me. With the above config, DNS requests for internet hosts (www.google.com) work, but DNS requests that should be directed to the internal server are still going to the public server.

 

It should also be noted that running an nslookup company.domain.com 10.1.2.3 from a client on the internal interface successfully returns successful results, so I don't think policy/routing is the issue here.

 

I've also tried using a Master configuration with manual host entries pointing to local file servers. This works successfully, but ultimately I'd prefer to use our existing internal DNS.

 

Happy to post some debugs or further configs if required.

 

Cheers.

1 REPLY 1
Mikelar
New Contributor

Think I've sorted this out, I used "set forwarder 10.1.2.3" to point to our internal DNS.

Labels
Top Kudoed Authors