Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DLee7890
New Contributor

Tracking per-system and per-user DNS requests while utilizing Active Directory for internal DNS

Hoping I can get some direction on this issue - there is a need to track DNS requests at a per-device and per-user level. Currently as-configured, all requests are showing as coming from the local Domain Controller.

 

Network setup:

 

  • LAN runs on Microsoft's Active Directory, where DHCP and DNS (internal and external requests) are being managed by a Windows Server Domain Controller.
    • Windows DHCP server is setting the domain controller as DNS for all DHCP clients
    • Windows DNS Forwarders are currently set to use public DNS servers
  • There is an on-premise Fortigate running 7.0.11, with Active Directory integration configured via an install of the Fortinet SSO Collector Agent.

 

Problem:

 

When you log into the Fortigate, navigate to Log & Report > DNS Query: All queries are showing a source username as the service account running the Fortinet SSO Collector Agent, with an IP address of the Domain Controller making the DNS query to the configured forwarders.

 

This means that the Domain Controller is alerting as compromised, even though a workstation is the origination of the DNS request.

 

Desired Behavior:

 

DNS Queries should be tracked by the Active Directory username and device IP address of the device making the request, internal domain requests should be directed to query the local Domain Controller(s).

 

Active Directory internal DNS functionality (like automatic update of A records of workstation hostnames) should remain unchanged, and Windows-based systems should identify that they are on a Windows Domain network.

 

So far:

 

We have tried to enable DNS Servers functionality on the Fortigate, and configured a secondary/shadow DNS zone for ad.companyinternal.com, with the IP of Primary and DNS Forwarder set to the Active Directory DNS Server

 

DNSConfig.JPG

 

At this point, once we changed the DHCP scope to point to the Fortigate for DNS, DNS queries to public sites seemed to work, but all internal functionality broke. Things like mapped drives begin prompting for credentials, and workstation logins would fail due to failure to resolve a domain controller.

 

------

 

Hoping someone has guidance to offer for this scenario - thank you!

 

 

 

3 REPLIES 3
ebilcari
Staff
Staff

I don't remember this correctly because it was long time ago but as I remember it has something to do with the domain name. DNS servers will not forward DNS request for the domains that they have a zone configured. For example if FGT has the domain example.com it will not forward the request test.example.com to his forwards eventhough it doesn't have this A record of it. The solution should be to change the zone of the DNS server to something dummy so FGT has to ask the DNS Forwarders for internal domain queries.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
DLee7890

So to clarify, you would keep the DNS Zone field to match the internal domain (ad.internaldomain.com in the example), and change the Domain Name field to something invalid?

 

 

ebilcari

I was testing in my lab and the above description is in cases when the mode is selected as Recursive (in that time I needed to have it like this).
If the mode in the interface is set to "Forward to System DNS" it should forward every query to the DNS Forwarder and will not cause any problem for local A entries (but it will not resolve the local domains specified in FGT like test.eb.eu).

recursive.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors