Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daniels7
New Contributor II

issues with DNS Forwarding over site to site VPN IPsec tunnel

Hello,

 

I have some issues with dns forwarding between to fortigates (601E and 601F) over a site to site VPN tunnel.

In general the VPN is working great and there are no connectivity issues at all.

Main-Site (FG 601F) has some internal DNS zones with entries and some of them forward to other DNS servers. The DNS service is enabled on all interfaces and each client on main site gets all dns entries of Main-FG as it should.

On site B (FG 601E) I tried to create the same DNS zones as on Main site and entered the Tunnel IP of Main-FG as DNS forwarder. If a client on Site B tries to query anything from those zones from FG-B it gets no answer. If the client tries to directly query the Tunnel IP of Main-FG it works, but that's not what I want. Does anyone has an idea what could be wrong? I already experimented with source-ip and stuff but it didn't help. Both Fortigates have FW 7.4.

 

Greetings,

daniels7

1 Solution
daniels7
New Contributor II

Seems like the problem randomly solved itself after the internet connection crashed this morning and the tunnel got reestablished

View solution in original post

3 REPLIES 3
Sheikh
Staff
Staff

Hi Daniels7,

 

You can achieve this by enabling and configuring split DNS on the branch FortiGate firewall. At first you need to enable DNS Database in "Feature Visibility" of FortiGate. 

 

Login to FortiGate>>>>System>>>Feature Visibility>>>DNS Database. After it is enabled, then go to DNS Servers under Network in FortiGate. Then you need to configure DNS service and attach it to an Interface. Please ensure to check "Recursive". You can/may also apply DNS filter on it.

 

After that you need to configure DNS Database and add your local DNS Zone and Domain name. As branch FortiGate is not a the master DNS for your internal DNS Zone on active directory, so you need to select type as "Slave". Enter the required information and click OK. 

 

You may need to create a policy "or you may already have" to allow communication from the remote branch office network to your domain controllers in Site A. If the FortiGate is also acting as a DHCP server for your Branch network, then you might need to select "Same as Interface IP" for DNS Server under Network interface.

 

You will also need to set up your Windows DNS server to do zone transfer to the FortiGate DNS database.

 

Under the DNS Database your configure for FortiGate you may want to put public DNS servers for non-domain lookups in the "Forwarder" section.

 

https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/960561/fortigate-dns-server

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
daniels7
New Contributor II

Hi Sheikh,

 

everything of that has already been done and it doesn't matter if I set the Zone to Master or Slave, it never works, somehow it seems to ignore the forwarding.

The config of the database is as following:

show config system dns-database
edit "Internal"
set domain "xx.xx"
set authoritative disable
set forwarder "a.a.a.a" "z.z.z.z"
set source-ip b.b.b.b

next
end

 

Where a.a.a.a is the Tunnel IP of the Main FG, b.b.b.b is the tunnel IP of FG-B and z.z.z.z is our DC loadbalancer

 

Greetings,

daniels7

daniels7
New Contributor II

Seems like the problem randomly solved itself after the internet connection crashed this morning and the tunnel got reestablished

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors