issues with DNS Forwarding over site to site VPN IPsec tunnel
I have some issues with dns forwarding between to fortigates (601E and 601F) over a site to site VPN tunnel.
In general the VPN is working great and there are no connectivity issues at all.
Main-Site (FG 601F) has some internal DNS zones with entries and some of them forward to other DNS servers. The DNS service is enabled on all interfaces and each client on main site gets all dns entries of Main-FG as it should.
On site B (FG 601E) I tried to create the same DNS zones as on Main site and entered the Tunnel IP of Main-FG as DNS forwarder. If a client on Site B tries to query anything from those zones from FG-B it gets no answer. If the client tries to directly query the Tunnel IP of Main-FG it works, but that's not what I want. Does anyone has an idea what could be wrong? I already experimented with source-ip and stuff but it didn't help. Both Fortigates have FW 7.4.
You can achieve this by enabling and configuring split DNS on the branch FortiGate firewall. At first you need to enable DNS Database in "Feature Visibility" of FortiGate.
Login to FortiGate>>>>System>>>Feature Visibility>>>DNS Database. After it is enabled, then go to DNS Servers under Network in FortiGate. Then you need to configure DNS service and attach it to an Interface. Please ensure to check "Recursive". You can/may also apply DNS filter on it.
After that you need to configure DNS Database and add your local DNS Zone and Domain name. As branch FortiGate is not a the master DNS for your internal DNS Zone on active directory, so you need to select type as "Slave". Enter the required information and click OK.
You may need to create a policy "or you may already have" to allow communication from the remote branch office network to your domain controllers in Site A. If the FortiGate is also acting as a DHCP server for your Branch network, then you might need to select "Same as Interface IP" for DNS Server under Network interface.
You will also need to set up your Windows DNS server to do zone transfer to the FortiGate DNS database.
Under the DNS Database your configure for FortiGate you may want to put public DNS servers for non-domain lookups in the "Forwarder" section.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.