Hello,
I have some issues with dns forwarding between to fortigates (601E and 601F) over a site to site VPN tunnel.
In general the VPN is working great and there are no connectivity issues at all.
Main-Site (FG 601F) has some internal DNS zones with entries and some of them forward to other DNS servers. The DNS service is enabled on all interfaces and each client on main site gets all dns entries of Main-FG as it should.
On site B (FG 601E) I tried to create the same DNS zones as on Main site and entered the Tunnel IP of Main-FG as DNS forwarder. If a client on Site B tries to query anything from those zones from FG-B it gets no answer. If the client tries to directly query the Tunnel IP of Main-FG it works, but that's not what I want. Does anyone has an idea what could be wrong? I already experimented with source-ip and stuff but it didn't help. Both Fortigates have FW 7.4.
Greetings,
daniels7
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Seems like the problem randomly solved itself after the internet connection crashed this morning and the tunnel got reestablished
Hi Daniels7,
You can achieve this by enabling and configuring split DNS on the branch FortiGate firewall. At first you need to enable DNS Database in "Feature Visibility" of FortiGate.
Login to FortiGate>>>>System>>>Feature Visibility>>>DNS Database. After it is enabled, then go to DNS Servers under Network in FortiGate. Then you need to configure DNS service and attach it to an Interface. Please ensure to check "Recursive". You can/may also apply DNS filter on it.
After that you need to configure DNS Database and add your local DNS Zone and Domain name. As branch FortiGate is not a the master DNS for your internal DNS Zone on active directory, so you need to select type as "Slave". Enter the required information and click OK.
You may need to create a policy "or you may already have" to allow communication from the remote branch office network to your domain controllers in Site A. If the FortiGate is also acting as a DHCP server for your Branch network, then you might need to select "Same as Interface IP" for DNS Server under Network interface.
You will also need to set up your Windows DNS server to do zone transfer to the FortiGate DNS database.
Under the DNS Database your configure for FortiGate you may want to put public DNS servers for non-domain lookups in the "Forwarder" section.
https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/960561/fortigate-dns-server
regards,
Sheikh
Hi Sheikh,
everything of that has already been done and it doesn't matter if I set the Zone to Master or Slave, it never works, somehow it seems to ignore the forwarding.
The config of the database is as following:
show config system dns-database
edit "Internal"
set domain "xx.xx"
set authoritative disable
set forwarder "a.a.a.a" "z.z.z.z"
set source-ip b.b.b.b
next
end
Where a.a.a.a is the Tunnel IP of the Main FG, b.b.b.b is the tunnel IP of FG-B and z.z.z.z is our DC loadbalancer
Greetings,
daniels7
Seems like the problem randomly solved itself after the internet connection crashed this morning and the tunnel got reestablished
Had the same situation. Tested from LAN and was not working. Recursive DNS server on the LAN interface.
Started working randomly as well, after I configured SSLVPN to test it and put the DNS service on the SSLVPN interface in recursive mode because I was unable to connect to the workstation in the LAN for testing and the locals were not very IT savvy.
After configuring the SSLVPN it started resolving the subdomain names from the system itself, after that I re-enabled the DNS on the interface and it started working from the local LAN as well.
I like Forti a lot but it is very sad to see that to test the functionality of the box is inferior to some other vendors and it requires some random events and sacrificing a goat to the network gods and divine intervention, that make the configuration work, instead of just configuring it, and pressing Apply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.