FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Article Id 192942

Description

 

This article shows how to set up a FortiGate as a slave DNS server to a Windows DNS  master server.

In this example the FortiGate is at Site A and the Windows DNS server is at Site B.  The two sites are connected by a VPN.  The FortiGate has an internal IP of 192.168.2.99, and the Windows AD DNS server has an IP of 10.10.54.6.

jsorensen_FD36649_tn_FD36649-1.jpg

 

Scope

 

FortiGate.


Solution

 

On the Windows DNS Server.

 

  • On the Windows DNS server launch DNS Manager, select the DNS zone in question, and find the Start of Authority (SOA) record. 
  • Go to the Zone Transfers tab and select 'Allow zone transfers' and 'To any server'. 
  • Select 'Notify' and pick 'The following servers'.

Add the FortiGate's IP address. Select 'Ok', and select 'Ok' again.

jsorensen_FD36649_tn_FD36649-2.jpg
 
  • On the FortiGate.

    Go to System -> Config -> Features, select Show More, and turn on DNS Database (select 'Apply').


Go to Network -> DNS Servers and create a new DNS Database

Type: slave
DNS Zone: test_dns_zone
Domain Name: test_dns_zone.loc
IP of Master: 10.10.54.6
View: Shadow   <----- The View option needs to be selected as a shadow on this point.


The FortiGate supports the following DNS records:

 

A         Host
AAAA      IPv6 host
CNAME     Canonical name
MX        Mail exchange
NS        Name server
PTR       Pointer
PTR_V6    IPv6 pointer

 

With Windows AD, a common and necessary record type is an SRV record, to resolve these with the FortiGate as the DNS server, a forwarder must be specified on the DNS-database configured on the FortiGate.  

 

This is done using the following commands:

 

config system dns-database

    edit "test_dns_zone"

        set forwarder "10.10.54.6"

    next

end

 

 
If the DNS server is over a VPN, which is the case in this example, a source IP may need to be specified for FortiGate to use to get its DNS database from the AD server. 
 
This can be done with the following commands:

config system dns-database
    edit "test_dns_zone"
        set source-ip 192.168.2.99
    next
end
 

On the FortiGate, whenever the FortiGate is being used as the DNS server, ensure that the interface that is being referenced as the server has a DNS service set.ex.

If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case the FortiGate's internal IP address can be used). On the FortiGate ensure that a DNS service is also created for the interface that the users will be referencing:

Go to System -> DNS Servers and create a new DNS Service.
Interface: internal
Mode: Recursive

There are three options for DNS server mode on the FortiGate:

 

  • recursive: Shadow DNS database and forward.
  • non-recursive Public DNS database only.
  •  forward-only Forward only.

 

As the mode 'recursive' is used (this will shadow DNS database and forward), the option View 'Shadow' needs to be selected under 'config system dns-database' otherwise the DNS queries will be only forwarded to the FortiGate system DNS servers and resolution for domain test_dns_zone could fail.


In the CLI run the following command on the FortiGate to see the database:


diag test application dnsproxy 8
diag test app dnsproxy 8

 

Example output:

 

2015-04-23 16:21:08 vfid=0 name=test_dns_zone domain=test_dns_zone.loc ttl=86400 authoritative=1 view=shadow type=slave serial=10 refresh=900
2015-04-23 16:21:08 forwarder:
2015-04-23 16:21:08 10.10.54.6 secure=0
2015-04-23 16:21:08   2015-04-23 16:21:08     A: Fortigate_90d.test_dns_zone.loc-->192.168.2.992015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08   2015-04-23 16:21:08     A: test1.test_dns_zone.loc-->192.168.2.12015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08   2015-04-23 16:21:08     A: test3.test_dns_zone.loc-->192.168.3.42015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08   2015-04-23 16:21:08   SOA: test_dns_zone.loc (primary: dc1.test_dns_zone.loc, contact: hostmaster@test_dns_zone.loc, serial: 10)
2015-04-23 16:21:08   2015-04-23 16:21:08    NS: test_dns_zone.loc-->dc1.test_dns_zone.loc2015-04-23 16:21:08 (0)2015-04-23 16:21:08
2015-04-23 16:21:08   2015-04-23 16:21:08     A: test2.test_dns_zone.loc-->192.168.2.32015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08   2015-04-23 16:21:08     A: dc1.test_dns_zone.loc-->10.10.54.62015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08   2015-04-23 16:21:08     A: lab.test_dns_zone.loc-->192.168.2.22015-04-23 16:21:08 (3600)2015-04-23 16:21:08
2015-04-23 16:21:08