Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎12-05-2010 07:07 AM

Windows DNS server behind Fortigate

Hi guys, If someone can point me to the right direction, that would be really appreciated. What I am trying to achieve here is getting my Windows DNS server that is sitting behind Fortigate to perform name resolution for my website. Registered Website name: For this example I am using - mywebsite.com This is from Godaddy. My ISP has given me only 1 Public IP which I use as a VIP for load balancing webservers. i.e. 202.XX.XX.XX > Round robins either 192.168.1.44 or 192.168.1.45 At the moment, At GoDaddy, I have added an A record @ 202.XX.XX.XX (my Public VIP) so all the http requests come to my webservers and people can reach my website. However, I do not want to rely on Godaddy' s DNS and would like my own DNS server. For this I went to Godaddy' s panel and added my DNS server' s name under NS records. i.e. RESOLVE1.mywebsite.com However, this is not working. When I check this via dnsstuff.com, it reports the following: ns33.domaincontrol.com [216.69.185.17] 203.XX.XX.XX 30ms resolve1.mywebsite.com [0.0.0.0] Timeout If I refresh the page, it shows - ns33.domaincontrol.com [216.69.185.17] 203.XX.XX.XX 30ms resolve1.mywebsite.com [192.168.1.52] Timeout Here are my DNS and webserver settings: DNS Server IP config settings: IP 192.168.1.52 Mask 255.255.255.0 Gateway 192.168.1.1 (Fortigate) DNS 192.168.1.52 Fully qualified name: RESOLVE1.mywebsite.com WEB Server 1 IP config settings: IP 192.168.1.44 Mask 255.255.255.0 Gateway 192.168.1.1 (Fortigate) DNS 192.168.1.52 Fully qualified name: WEBSERVER1.mywebsite.com WEB Server 2 IP config settings: IP 192.168.1.45 Mask 255.255.255.0 Gateway 192.168.1.1 (Fortigate) DNS 192.168.1.52 Fully qualified name: WEBSERVER2.mywebsite.com Can some one please advise: Do I have to set up Port Forwarding on Fortigate? Do I have to configure any policy on Fortigate? Regards,
10712
0 Kudos
17 REPLIES 17
Not applicable

Created on ‎12-05-2010 07:26 AM

Hi guys, Here is the diagram of my setup to make things more easy - Regards,
Preview file
43 KB
5737
0 Kudos
willem
New Contributor

Created on ‎12-05-2010 10:13 AM

Couple of things: - first of all the IP of your DNS-server is in a private range, thus cannot be routed on internet. You need a VIP on your FortiGate from an public IP to that private IP to be able to reach your DNS-server from internet. - your VIP needs to forward DNS-ports (53). - you need a policy to allow traffic from internet via the VIP to your DNS-server. Apart from your questions: although I don' t know your environment, I' m pretty sure that the DNS-servers of your provider will have a higher availability as yours, so I don' t really understand why you would want to do this?
Willem __________________________________ FCNSP (Fortinet Certified Network Security Professional)
Willem __________________________________ FCNSP (Fortinet Certified Network Security Professional)
5737
0 Kudos
Not applicable

Created on ‎12-05-2010 10:48 AM

Hi Willem, Thanks for the response. I have 1 static IP (public IP) which I use as a VIP for Webservers. Can I use the same VIP for DNS as well? If this is possible, I have gone ahead and set this up. Attached is the screengrab of my Fortigate' s interface. (is this what your 1st and 2nd comment telling to setup on the Fortigate). Regarding the Policy, if you can let me know in Fortigate' s interface language, that would be appreciated i.e. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Should NAT be checked? Regards,
Preview file
42 KB
5738
0 Kudos
Not applicable

Created on ‎12-05-2010 10:49 AM

Here is the 2nd screengrab for - - first of all the IP of your DNS-server is in a private range, thus cannot be routed on internet. You need a VIP on your FortiGate from an public IP to that private IP to be able to reach your DNS-server from internet. - your VIP needs to forward DNS-ports (53).
Preview file
38 KB
5738
0 Kudos
veechee
New Contributor

Created on ‎12-05-2010 07:43 PM

I fail to understand why you would want to host your own DNS. This represents a single point of failure for your entire domain name. Not just your web servers, but for email services, and to even respond telling anyone reaching your site(s) that you actually exist! Some of the largest companies in the world outsource DNS to companies such as UltraDNS to ensure maximum availability. If you don' t trust GoDaddy to do it (not sure why not as they are one of the largest web hosts and domain registrars in the world), I suggest you look at alternative dedicated DNS providers, such as UltraDNS, DynDNS (I use DynDNS for some clients), etc. I see no compelling reason to host your own DNS. Providers that specialize in this will have: - multiple DNS servers in multiple physical locations (i.e., more than one data centre) - multiple Internet connections - fully redundant hardware (firewalls, switches, servers) - 24/7 staff - backup power generators for extended power interruptions Unless you' re working for a Fortune 500 company, I doubt you have all the resources listed above, so why do it yourself?!
5738
0 Kudos
Not applicable

Created on ‎12-05-2010 07:53 PM

Hi Veechee, Completely agree with all your points. I am creating this architecture for our client as an alternate DR solution and having our own DNS is their business requirement. The only thing remaining in this project is to get the DNS working. If someone can please review the screengrabs I have posted in this post and let me know how should I configure the policy that would be really appreciated. Regards,
5738
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎12-06-2010 12:09 AM

I think the main point in question is whether you can use a single external IP for a load-balancing VIP AND other port-forwarding VIPs at the same time. Yes, you can. You started out correctly with your ' DNS' -VIP but you have to specify tcp/53 and udp/53 for the DNS service. Somehow you mingled port 23 (telnet) in... Make sure that the policy for DNS src: 0.0.0.0, interface: wan dst: DNS_VIP (!!), interface: internal service: DNS appears BEFORE the policy with the LB VIP as it is more specific.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
5738
0 Kudos
Not applicable

Created on ‎12-06-2010 12:23 AM

Hi Ede, I mistakenly entered 23. Changed it to 53. I created 2 VIPS as I can only select TCP or UDP. So 203.XX.XX.XX Port Forward UDP 192.168.1.52 20.XX.XX.XX Port Forward TCP 192.168.1.52 Created 2 policies for the above 2 VIPs. Moved them before my LB-VIP. Still no luck. When I query resolve1.mywebsite.com on dnsstuff, it shows - ns33.domaincontrol.com [216.69.185.17] 203.XX.XX.XX 39ms resolve1.mywebsite.com [0.0.0.0] Timeout
5738
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎12-06-2010 12:30 AM

...but in your first post you wrote
@ 202.XX.XX.XX (my Public VIP)
not 203.x.x.x... please post: conf firewall vip show end and conf firewall policy show end
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
5738
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.