Hoping I can get some direction on this issue - there is a need to track DNS requests at a per-device and per-user level. Currently as-configured, all requests are showing as coming from the local Domain Controller.
Network setup:
Problem:
When you log into the Fortigate, navigate to Log & Report > DNS Query: All queries are showing a source username as the service account running the Fortinet SSO Collector Agent, with an IP address of the Domain Controller making the DNS query to the configured forwarders.
This means that the Domain Controller is alerting as compromised, even though a workstation is the origination of the DNS request.
Desired Behavior:
DNS Queries should be tracked by the Active Directory username and device IP address of the device making the request, internal domain requests should be directed to query the local Domain Controller(s).
Active Directory internal DNS functionality (like automatic update of A records of workstation hostnames) should remain unchanged, and Windows-based systems should identify that they are on a Windows Domain network.
So far:
We have tried to enable DNS Servers functionality on the Fortigate, and configured a secondary/shadow DNS zone for ad.companyinternal.com, with the IP of Primary and DNS Forwarder set to the Active Directory DNS Server
At this point, once we changed the DHCP scope to point to the Fortigate for DNS, DNS queries to public sites seemed to work, but all internal functionality broke. Things like mapped drives begin prompting for credentials, and workstation logins would fail due to failure to resolve a domain controller.
------
Hoping someone has guidance to offer for this scenario - thank you!
I don't remember this correctly because it was long time ago but as I remember it has something to do with the domain name. DNS servers will not forward DNS request for the domains that they have a zone configured. For example if FGT has the domain example.com it will not forward the request test.example.com to his forwards eventhough it doesn't have this A record of it. The solution should be to change the zone of the DNS server to something dummy so FGT has to ask the DNS Forwarders for internal domain queries.
So to clarify, you would keep the DNS Zone field to match the internal domain (ad.internaldomain.com in the example), and change the Domain Name field to something invalid?
Created on 05-11-2023 06:23 AM Edited on 05-11-2023 06:26 AM
I was testing in my lab and the above description is in cases when the mode is selected as Recursive (in that time I needed to have it like this).
If the mode in the interface is set to "Forward to System DNS" it should forward every query to the DNS Forwarder and will not cause any problem for local A entries (but it will not resolve the local domains specified in FGT like test.eb.eu).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.