DNS setup with a site to site IPSEC tunnel

reneVeen · ‎07-22-2016

Hi you'll

Been trying this for a while now. In our office we have a HA cluster of 2 92D. I'm running a nettwork there based on MS servers with 2012R2 domain controllers and DNS. I got a couple remote site's connected with 60D boxes. i setup a Ipsec tunnel that works got and very stable. On the remote sites I use DHCP and need to setup my DNS servers at HQ as the DNS to be able to resolve my servers at HQ, Side effekt is that those DNS servers have to resolve all trafikk. I've been trying to sett up DNS server on the 60D boxes so that everything is handled at the local 60D box.

I activated DNS on the internal interface and tried both recursive and non recursive and of course i setup the DNS SERVER on the box to answer for the HQ domain, put op the right IP for the master set type to slave and view as shadow and authoritive to enable.

Doesn't seem to work :( so I most humbly ask for some guidance.

Rene

TonyTaylor · ‎07-22-2016

...you have to set up spilt DNS. Local resolver that forwards your
internal domains across the tunnel and is also as the recursive resolver
for everything else. Take a look at this. Pretty sure it has been covered
many times.

https://forum.fortinet.com/tm.aspx?m=131231

..there are a couple more up there. Make sure you set the source-ip as
something that is in the tunnel.

Tony Taylor Technical Ninja and Proprietor, Foundation Republic

832 850 5850 x2500
936 827 5472
Tony@FoundationRepublic.com
www.foundationrepublic.com
723 Main St, Ste 828, Houston Tx 77002
<http://facebook.com/foundationrepublic> <http://twitter.com/jimi_republic>
<http://linkedin.com/foundationrepublic>

On Fri, Jul 22, 2016 at 6:17 AM, rene van v Veen via firewall.public <
firewall.public@fuse-lists.fortinet.com> wrote:

> Hi you'll
>
> Been trying this for a while now. In our office we have a HA cluster of 2
> 92D. I'm running a nettwork there based on MS servers with 2012R2 domain
> controllers and DNS. I got a couple remote site's connected with 60D boxes.
> i setup a Ipsec tunnel that works got and very stable. On the remote sites
> I use DHCP and need to setup my DNS servers at HQ as the DNS to be able to
> resolve my servers at HQ, Side effekt is that those DNS servers have to
> resolve all trafikk. I've been trying to sett up DNS server on the 60D
> boxes so that everything is handled at the local 60D box.
>
> I activated DNS on the internal interface and tried both recursive and non
> recursive and of course i setup the DNS SERVER on the box to answer for the
> HQ domain, put op the right IP for the master set type to slave and view as
> shadow and authoritive to enable.
>
> Doesn't seem to work :( so I most humbly ask for some guidance.
>
> Rene
>
> -----End Original Message-----
>

TonyTaylor · ‎07-22-2016

...another one.

https://forum.fortinet.com/tm.aspx?m=122203

Conditional Forward is probably what you are looking for.

Tony Taylor Technical Ninja and Proprietor, Foundation Republic

832 850 5850 x2500
936 827 5472
Tony@FoundationRepublic.com
www.foundationrepublic.com
723 Main St, Ste 828, Houston Tx 77002
<http://facebook.com/foundationrepublic> <http://twitter.com/jimi_republic>
<http://linkedin.com/foundationrepublic>

On Fri, Jul 22, 2016 at 7:52 AM, Tony Taylor via firewall.public <
firewall.public@fuse-lists.fortinet.com> wrote:

> ...you have to set up spilt DNS. Local resolver that forwards your
> internal domains across the tunnel and is also as the recursive resolver
> for everything else. Take a look at this. Pretty sure it has been covered
> many times.
>
> https://forum.fortinet.com/tm.aspx?m=131231
>
> ..there are a couple more up there. Make sure you set the source-ip as
> something that is in the tunnel.
>
>
>
> Tony Taylor Technical Ninja and Proprietor, Foundation Republic
>
> 832 850 5850 x2500
> 936 827 5472
> Tony@FoundationRepublic.com
> www.foundationrepublic.com
> 723 Main St, Ste 828, Houston Tx 77002
> <http://facebook.com/foundationrepublic>
> <http://twitter.com/jimi_republic>
> <http://linkedin.com/foundationrepublic>
>
>
> On Fri, Jul 22, 2016 at 6:17 AM, rene van v Veen via firewall.public <
> firewall.public@fuse-lists.fortinet.com> wrote:
>
>> Hi you'll
>>
>> Been trying this for a while now. In our office we have a HA cluster of
>> 2 92D. I'm running a nettwork there based on MS servers with 2012R2 domain
>> controllers and DNS. I got a couple remote site's connected with 60D boxes.
>> i setup a Ipsec tunnel that works got and very stable. On the remote sites
>> I use DHCP and need to setup my DNS servers at HQ as the DNS to be able to
>> resolve my servers at HQ, Side effekt is that those DNS servers have to
>> resolve all trafikk. I've been trying to sett up DNS server on the 60D
>> boxes so that everything is handled at the local 60D box.
>>
>> I activated DNS on the internal interface and tried both recursive and
>> non recursive and of course i setup the DNS SERVER on the box to answer for
>> the HQ domain, put op the right IP for the master set type to slave and
>> view as shadow and authoritive to enable.
>>
>> Doesn't seem to work :( so I most humbly ask for some guidance.
>>
>> Rene
>>
>> -----End Original Message-----
>

reneVeen · ‎07-23-2016

Thx for your reply .

I tried it, deleted and tried again to no avail, feel kind of stupid.

Seems that it doesn't find the "DNS server" on the 60D box. i set up as splitt DNS and followed both suggestions. Nothing get's resolved if i use nslookup in the domain (machine.domain.no) when i do a nslookup and specify the DNS server works like a dream. So I'm back to using my DNS server's from HQ provided through DHCP.

As said feel a bit stupid.

Rene

TonyTaylor · ‎07-23-2016

You have to turn on the DNS interface that faces wherever your clients are
going to hit it from. As an example, if you are using "internal" and
clients are able to hit the interface, then this should work. The FGT
itself needs to be able to resolve DNS also if you are wanting it to look
up on behalf of the client.

config system dns-server
edit "internal"
set mode forward-only
next
end

config system dns-database
edit "example.local"
set domain "example.local"
set authoritative disable
set forwarder "192.168.100.50" <-- DNS Server on the other side of
the tunnel
set source-ip 192.168.1.99 <-- Internal Interface that clients can
hit
next
end

Tony Taylor Technical Ninja and Proprietor, Foundation Republic

832 850 5850 x2500
936 827 5472
Tony@FoundationRepublic.com
www.foundationrepublic.com
723 Main St, Ste 828, Houston Tx 77002
<http://facebook.com/foundationrepublic> <http://twitter.com/jimi_republic>
<http://linkedin.com/foundationrepublic>

On Sat, Jul 23, 2016 at 6:57 AM, rene van v Veen via firewall.public <
firewall.public@fuse-lists.fortinet.com> wrote:

> Thx for your reply .
>
> I tried it, deleted and tried again to no avail, feel kind of stupid.
>
> Seems that it doesn't find the "DNS server" on the 60D box. i set up as
> splitt DNS and followed both suggestions. Nothing get's resolved if i use
> nslookup in the domain (machine.domain.no) when i do a nslookup and
> specify the DNS server works like a dream. So I'm back to using my DNS
> server's from HQ provided through DHCP.
>
> As said feel a bit stupid.
>
> Rene
>
> -----End Original Message-----
>

reneVeen · ‎07-23-2016

THX Tony.

that did the trick. Suddenly i realised what you meant with source-ip works like a dream now.

PS the DNS-server setting is recursive, forward-only didn't work

Again thx for your help and insight

Rene