The DNS database view can be set as 'public' or 'shadow'. For explicit proxy sessions, FortiGate will do the DNS lookup into the DNS database with the view set as 'shadow'.
For example, FortiGate works as an explicit proxy. A secondary DNS zone database 'xxxx.yy.com' is created in FortiGate to receive zone database entries from the internal DNS server.
FGTTEST # show sys dns config system dns set primary 8.8.8.8 set secondary 165.21.100.88 end
FGTTEST # show sys dns-database xxxx.yy.com config system dns-database edit "xxxx.yy.com" set domain "xxxx.yy.com" set type secondary set view shadow<----- set forwarder <DNS server IP@ for DNS forwarding> set ip-primary <internal DNS server IP@ for zone transfer> end
With view setting as 'shadow':
- If the HTTP Request URL matches the DNS zone database, FortiGate will do the DNS lookup in the zone database first.
dia de app dnsproxy -1
dia de e
[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=truckbus.xxxx.yy.com, qtype=1, qclass=1, offset=39, map#=4 max_sz=512 [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=truckbus.xxxx.yy.com [worker 0] dns_local_lookup()-2581: found zone=xxxx.yy.com domain=xxxx.yy.com<----- [worker 0] dnsentry_search()-506: domain=xxxx.yy.com, name=truckbus.xxxx.yy.com, type=1
If the HTTP Request URL does not match the DNS database domain, FortiGate will do the lookup with the DNS server set in FortiGate:
[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=login.microsoft.com, qtype=1, qclass=1, offset=37,map#=3 max_sz=131072 [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=login.microsoft.com [worker 0] dns_send_request()-1430 [worker 0] dns_send_resol_request()-1266: orig id: 0x0098 local id: 0x0098 domain=login.microsoft.com [worker 0] dns_find_best_server()-658: found server: 8.8.8.8 (vfid=0 vrf=0)<----- [worker 0] dns_udp_forward_request()-1092: vdom=root req_type=1 domain=login.microsoft.com oif=0 [worker 0] dns_udp_forward_request()-1212: Send 37B to [8.8.8.8]:53 via fd=19 request:1
When the view setting is 'public':
- FortiGate will do the DNS lookup of all URLs using the DNS server configured in the FortiGate.
[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=truckbus.xxxx.yy.com, qtype=1, qclass=1, offset=39, map#=4 max_sz=512 [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=truckbus.xxxx.yy.com [worker 0] dns_send_request()-1430 [worker 0] dns_send_resol_request()-1266: orig id: 0x0000 local id: 0xc06d domain=truckbus.xxxx.yy.com [worker 0] dns_find_best_server()-658: found server: 8.8.8.8 (vfid=0 vrf=0) [worker 0] dns_udp_forward_request()-1092: vdom=root req_type=1 domain=truckbus.xxxx.yy.com oif=0 [worker 0] dns_udp_forward_request()-1212: Send 39B to [8.8.8.8]:53 via fd=18 request:1
[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=safebrowsing.googleapis.com, qtype=1, qclass=1, of fset=45, map#=3 max_sz=512 [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=safebrowsing.googleapis.com [worker 0] dns_send_request()-1430 [worker 0] dns_send_resol_request()-1266: orig id: 0x0100 local id: 0x0100 domain=safebrowsing.googleapis.com [worker 0] dns_find_best_server()-658: found server: 8.8.8.8 (vfid=0 vrf=0) [worker 0] dns_udp_forward_request()-1092: vdom=root req_type=1 domain=safebrowsing.googleapis.com oif=0 [worker 0] dns_udp_forward_request()-1212: Send 45B to [8.8.8.8]:53 via fd=18 request:1
|