Split DNS for Explicit Proxy

jimmyt · ‎10-21-2011

I have a Fortigate 600B that is used as a web proxy server. For name resolution the Fortigate uses one of our corporate DNS servers. It also has a small number of zones in its local DNS database. My issue is that now for one of the zones I require the Fortigate to look at its internal database for some entries but, if there are no specific host entries in the local zone, then do a lookup on our corporate DNS server. At the moment if the host entry is not found in the zone in its local DNS then the lookup bombs. I know that a split DNS configuration can be done for user DNS lookups but I can' t get this working for the lookups required by the explicit proxy. Any ideas?

emnoc · ‎10-21-2011

So do you have the dns setup set for recursive or non-recursive lookup? Can you provide a clear example of the host/domain that' s giving you a problem? I think you need some type of forwarder statement, but I don' t recall FGT even offering a forwarder function within the intergral dns-server. I think the big problem you are trying to describe ( not clear on what it is really ), is you are expecting the fgt to lookup the host within in it' s zone and then if not found perform yet another host lookup at some external corp dns-server.

My issue is that now for one of the zones I require the Fortigate to look at its internal database for some entries but, if there are no specific host entries in the local zone, then do a lookup on our corporate DNS server. At the moment if the host entry is not found in the zone in its local DNS then the lookup bombs.

I Don' t think you can do that with any dns-server as far as that goes outside of MSwindows screwed up dns-server installation.

If your authoritative for that zone, then you are authoritative. If not send the lookup to another dns-server. That' s how it should work

PCNSE

NSE

StrongSwan

rwpatterson · ‎10-21-2011

I agree with what Emnoc said. I would create a view on the corporate DNS server, and move those requests over there. It' s more versatile.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎10-21-2011

Didn' t they mention in the 4.00 MR3 Release Notes that they' ve expanded the DNS configuration to add a non-authoritative DNS server?

Ede Kernel panic: Aiee, killing interrupt handler!

jimmyt · ‎11-01-2011

Thanks for the replies everybody. We' re running 4.0 MR1 so the local non-authoritative DNS sever isn' t available. The solution to this, as was suggested by a few of you, was to remove this zone to our corporate Unix DNS server. The zone was then made non-authoritative. The local entries for that zone are now resolved by the Unix DNS server and anything else for that one is resolved by Internet DNS.

laf · ‎11-16-2011

Hi guys, I need to setup a small DNS Server on FGT 60C running MR 2 patch 8. I read the admin guide, but I do not understand what is the meaning of DNS Zone name? What do you usually set up there? Many thanks, laf.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

ede_pfau · ‎11-16-2011

The DNS zone name is the domain for which DNS requests are handled. So, a DNS zone " youtube.com" would have entries (hosts) named like " www" , " ftp" . Be aware that if you have a zone on the FGT, in 4.2 it is " authoritative" . Requests for hostnames from that zone which are not in the FGT' s list are replied with a " host unknown" . So you have to put in all known hostnames of that zone if you tell your users to use the FGT' s DNS.

Ede Kernel panic: Aiee, killing interrupt handler!

laf · ‎11-16-2011

Hi mate, Thanks for the answer. That was my understanding too, but when configuring I saw it has no impact. And the important thing is the domain name and NOT the dns zone name. Here is my config: config system dns-database edit " ClassHQ" config dns-entry edit 1 set hostname " 172.20.20.1" set type NS next edit 2 set hostname " laf" set ip 172.20.20.15 next edit 3 set hostname " ns" set ip 172.20.20.1 next edit 4 set hostname " hyperv" set ip 172.20.20.13 next edit 5 set hostname " gns" set ip 172.20.20.14 next end set domain " class.local" set ttl 3600 next end Now here is some nslookup output: C:\WINDOWS>nslookup *** Can' t find server name for address 172.20.20.1: Non-existent domain *** Default servers are not available Default Server: UnKnown Address: 172.20.20.1 > laf Server: UnKnown Address: 172.20.20.1 *** UnKnown can' t find laf: Non-existent domain > laf Server: UnKnown Address: 172.20.20.1 *** UnKnown can' t find laf: Non-existent domain > laf.class.local Server: UnKnown Address: 172.20.20.1 Name: laf.class.local Address: 172.20.20.15 > ns Server: UnKnown Address: 172.20.20.1 *** UnKnown can' t find ns: Non-existent domain > ns.class.local Server: UnKnown Address: 172.20.20.1 Name: ns.class.local Address: 172.20.20.1 Until now if I use the configured DNS DOMAIN NAME it solves out ok. Now for the DNS ZONE NAME: > ns.classhq Server: UnKnown Address: 172.20.20.1 *** UnKnown can' t find ns.classhq: Non-existent domain > ns.classhq.class.local Server: UnKnown Address: 172.20.20.1 *** UnKnown can' t find ns.classhq.class.local: Non-existent domain > ns.class.local.classhq Server: UnKnown Address: 172.20.20.1 *** UnKnown can' t find ns.class.local.classhq: Non-existent domain > Do you have a configured DNS Database maybe I can understand this better. I also search for a KB article but no luck.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

ede_pfau · ‎11-16-2011

There is nothing special with your setup. 1. if you don' t use/configure a " search domain" on your client (PC) then you have to enter ' hostname.domain.tld' every time to get a response. 2. you are right, the zone name is only relevant locally on the FGT to distinguish different DNS configs. This is stated e.g. in the CLI Guide. 3. Your host #1 is set up wrong: set hostname " 172.20.20.1" refers to a host with that name, not the IP address of that host! The FortiOS implementation of a DNS does not support PTR records for reverse lookup. You cannot resolve an IP to a hostname with it. That' s why you see the nslookup messages all the time (" *** Can' t find server name for address 172.20.20.1: Non-existent domain *** Default servers are not available Default Server: UnKnown Address: 172.20.20.1 " ). The ' Non-existent domain' error code is distracting here. 4. The NS record type is (only) useful if you query for NS records:

 nslookup
 >(interactive prompt now)
 >set type=NS
 > beneicke-edv.de
 Server:  UnKnown
 Address:  192.168.234.1
 
 beneicke-edv.de nameserver = gate.beneicke-edv.de
 gate.beneicke-edv.de    internet address = 192.168.234.1

Remember to reset the type to hostnames afterwards, " set type=A" . You exit the interactive mode with " exit" . 5. The FGT DNS does not support/allow zone transfers. That is, you cannot list all host entries at once.

Ede Kernel panic: Aiee, killing interrupt handler!

Maik · ‎11-16-2011

The FortiOS implementation of a DNS does not support PTR records for reverse lookup. You cannot resolve an IP to a hostname with it.

For MR3, this is not correct. FortiOS Supports Reverse zones and PTR recrods. But you define Reverse zones in an own zone ending with in-addr.arpa. e.g. 3.168.192.in-addr.arpa for 192.168.3.x