Created on 06-09-2015 02:14 PM Edited on 09-02-2024 12:25 AM By Jean-Philippe_P
Description
Scope
FortiGate.
Solution
On the Windows DNS Server.
Add the FortiGate's IP address. Select 'Ok', and select 'Ok' again.
Go to Network -> DNS Servers and create a new DNS Database
Type: slave
DNS Zone: test_dns_zone
Domain Name: test_dns_zone.loc
IP of Master: 10.10.54.6
View: Shadow <----- The View option needs to be selected as a shadow on this point.
The FortiGate supports the following DNS records:
A Host
AAAA IPv6 host
CNAME Canonical name
MX Mail exchange
NS Name server
PTR Pointer
PTR_V6 IPv6 pointer
With Windows AD, a common and necessary record type is an SRV record, to resolve these with the FortiGate as the DNS server, a forwarder must be specified on the DNS-database configured on the FortiGate.
This is done using the following commands:
config system dns-database
edit "test_dns_zone"
set forwarder "10.10.54.6"
next
end
On the FortiGate, whenever the FortiGate is being used as the DNS server, ensure that the interface that is being referenced as the server has a DNS service set.ex.
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case the FortiGate's internal IP address can be used). On the FortiGate ensure that a DNS service is also created for the interface that the users will be referencing:
Go to System -> DNS Servers and create a new DNS Service.
Interface: internal
Mode: Recursive
There are three options for DNS server mode on the FortiGate:
As the mode 'recursive' is used (this will shadow DNS database and forward), the option View 'Shadow' needs to be selected under 'config system dns-database' otherwise the DNS queries will be only forwarded to the FortiGate system DNS servers and resolution for domain test_dns_zone could fail.
In the CLI run the following command on the FortiGate to see the database:
diag test application dnsproxy 8
diag test app dnsproxy 8
Example output:
2015-04-23 16:21:08 vfid=0 name=test_dns_zone domain=test_dns_zone.loc ttl=86400 authoritative=1 view=shadow type=slave serial=10 refresh=900
2015-04-23 16:21:08 forwarder:
2015-04-23 16:21:08 10.10.54.6 secure=0
2015-04-23 16:21:08 2015-04-23 16:21:08 A: Fortigate_90d.test_dns_zone.loc-->192.168.2.992015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: test1.test_dns_zone.loc-->192.168.2.12015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: test3.test_dns_zone.loc-->192.168.3.42015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 SOA: test_dns_zone.loc (primary: dc1.test_dns_zone.loc, contact: hostmaster@test_dns_zone.loc, serial: 10)
2015-04-23 16:21:08 2015-04-23 16:21:08 NS: test_dns_zone.loc-->dc1.test_dns_zone.loc2015-04-23 16:21:08 (0)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: test2.test_dns_zone.loc-->192.168.2.32015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: dc1.test_dns_zone.loc-->10.10.54.62015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08 2015-04-23 16:21:08 A: lab.test_dns_zone.loc-->192.168.2.22015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.