Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Windows DNS server behind Fortigate

Hi guys, If someone can point me to the right direction, that would be really appreciated. What I am trying to achieve here is getting my Windows DNS server that is sitting behind Fortigate to perform name resolution for my website. Registered Website name: For this example I am using - mywebsite.com This is from Godaddy. My ISP has given me only 1 Public IP which I use as a VIP for load balancing webservers. i.e. 202.XX.XX.XX > Round robins either 192.168.1.44 or 192.168.1.45 At the moment, At GoDaddy, I have added an A record @ 202.XX.XX.XX (my Public VIP) so all the http requests come to my webservers and people can reach my website. However, I do not want to rely on Godaddy' s DNS and would like my own DNS server. For this I went to Godaddy' s panel and added my DNS server' s name under NS records. i.e. RESOLVE1.mywebsite.com However, this is not working. When I check this via dnsstuff.com, it reports the following: ns33.domaincontrol.com [216.69.185.17] 203.XX.XX.XX 30ms resolve1.mywebsite.com [0.0.0.0] Timeout If I refresh the page, it shows - ns33.domaincontrol.com [216.69.185.17] 203.XX.XX.XX 30ms resolve1.mywebsite.com [192.168.1.52] Timeout Here are my DNS and webserver settings: DNS Server IP config settings: IP 192.168.1.52 Mask 255.255.255.0 Gateway 192.168.1.1 (Fortigate) DNS 192.168.1.52 Fully qualified name: RESOLVE1.mywebsite.com WEB Server 1 IP config settings: IP 192.168.1.44 Mask 255.255.255.0 Gateway 192.168.1.1 (Fortigate) DNS 192.168.1.52 Fully qualified name: WEBSERVER1.mywebsite.com WEB Server 2 IP config settings: IP 192.168.1.45 Mask 255.255.255.0 Gateway 192.168.1.1 (Fortigate) DNS 192.168.1.52 Fully qualified name: WEBSERVER2.mywebsite.com Can some one please advise: Do I have to set up Port Forwarding on Fortigate? Do I have to configure any policy on Fortigate? Regards,
17 REPLIES 17
Not applicable

Hi guys, Here is the diagram of my setup to make things more easy - Regards,
willem
New Contributor

Couple of things: - first of all the IP of your DNS-server is in a private range, thus cannot be routed on internet. You need a VIP on your FortiGate from an public IP to that private IP to be able to reach your DNS-server from internet. - your VIP needs to forward DNS-ports (53). - you need a policy to allow traffic from internet via the VIP to your DNS-server. Apart from your questions: although I don' t know your environment, I' m pretty sure that the DNS-servers of your provider will have a higher availability as yours, so I don' t really understand why you would want to do this?
Willem __________________________________ FCNSP (Fortinet Certified Network Security Professional)
Willem __________________________________ FCNSP (Fortinet Certified Network Security Professional)
Not applicable

Hi Willem, Thanks for the response. I have 1 static IP (public IP) which I use as a VIP for Webservers. Can I use the same VIP for DNS as well? If this is possible, I have gone ahead and set this up. Attached is the screengrab of my Fortigate' s interface. (is this what your 1st and 2nd comment telling to setup on the Fortigate). Regarding the Policy, if you can let me know in Fortigate' s interface language, that would be appreciated i.e. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Should NAT be checked? Regards,
Not applicable

Here is the 2nd screengrab for - - first of all the IP of your DNS-server is in a private range, thus cannot be routed on internet. You need a VIP on your FortiGate from an public IP to that private IP to be able to reach your DNS-server from internet. - your VIP needs to forward DNS-ports (53).
veechee
New Contributor

I fail to understand why you would want to host your own DNS. This represents a single point of failure for your entire domain name. Not just your web servers, but for email services, and to even respond telling anyone reaching your site(s) that you actually exist! Some of the largest companies in the world outsource DNS to companies such as UltraDNS to ensure maximum availability. If you don' t trust GoDaddy to do it (not sure why not as they are one of the largest web hosts and domain registrars in the world), I suggest you look at alternative dedicated DNS providers, such as UltraDNS, DynDNS (I use DynDNS for some clients), etc. I see no compelling reason to host your own DNS. Providers that specialize in this will have: - multiple DNS servers in multiple physical locations (i.e., more than one data centre) - multiple Internet connections - fully redundant hardware (firewalls, switches, servers) - 24/7 staff - backup power generators for extended power interruptions Unless you' re working for a Fortune 500 company, I doubt you have all the resources listed above, so why do it yourself?!
Not applicable

Hi Veechee, Completely agree with all your points. I am creating this architecture for our client as an alternate DR solution and having our own DNS is their business requirement. The only thing remaining in this project is to get the DNS working. If someone can please review the screengrabs I have posted in this post and let me know how should I configure the policy that would be really appreciated. Regards,
ede_pfau
Esteemed Contributor III

I think the main point in question is whether you can use a single external IP for a load-balancing VIP AND other port-forwarding VIPs at the same time. Yes, you can. You started out correctly with your ' DNS' -VIP but you have to specify tcp/53 and udp/53 for the DNS service. Somehow you mingled port 23 (telnet) in... Make sure that the policy for DNS src: 0.0.0.0, interface: wan dst: DNS_VIP (!!), interface: internal service: DNS appears BEFORE the policy with the LB VIP as it is more specific.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Not applicable

Hi Ede, I mistakenly entered 23. Changed it to 53. I created 2 VIPS as I can only select TCP or UDP. So 203.XX.XX.XX Port Forward UDP 192.168.1.52 20.XX.XX.XX Port Forward TCP 192.168.1.52 Created 2 policies for the above 2 VIPs. Moved them before my LB-VIP. Still no luck. When I query resolve1.mywebsite.com on dnsstuff, it shows - ns33.domaincontrol.com [216.69.185.17] 203.XX.XX.XX 39ms resolve1.mywebsite.com [0.0.0.0] Timeout
ede_pfau
Esteemed Contributor III

...but in your first post you wrote
@ 202.XX.XX.XX (my Public VIP)
not 203.x.x.x... please post: conf firewall vip show end and conf firewall policy show end

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors