Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bosco_rsa
New Contributor

Block and redirect all external DNS requests

Hi All

 

I have a pihole server on my network that is responsible for all DNS and DHCP. The pihole is configured to use cloudflared DoH for added security.

 

I have added a lan-wan policy on my fortigate 30E that blocks all DNS udp/53 requests to the internet. This is working well but I have a number of devices on my network (chromecasts, amazon plugs, jvc tvs) that simply do not honor the DHCP issued dns servers and seem to be hard coded to use 8.8.8.8 and 8.8.4.4.

 

Prior to getting the fortigate I used to have a ubiquiti edgerouter x. On this device I had what they called a DNAT policy which used to capture all dns queries heading for the wan interface and redirect them to my internal pihole server. the pihole would then resolve them via DoH and respond via the router to the devices. 

 

I am really stuck trying to replicate this on the Fortigate. I have tried a number of things like the VIP objects and policies but I cannot get this to replicate what I had before. 

 

Please help.

Thanks

5 REPLIES 5
Anonymous
Not applicable

Hello @bosco_rsa,

 

                      Thanks for reaching Fortinet Community. Would it be possible to attached the network diagram, so that we can better understand where the internal users and the server are connected to the FortiGate.

For now from the above description, I would assume you are wanting the FortiGate to forward all internal traffic (DNS traffic) heading to wan interface take a different route and reach your internal server that is on one of the other interfaces of the FortiGate. Ideally to achieve this we would need a policy right above the lan-wan policy that is actually being used now to route DNS traffic and the policy needs to have the interface on which the pihole server is connected as the destination.

 

Hope this helps.

 

Thanks and regards,

bosco_rsa
New Contributor

Hi @Anonymous 

 

Please see below.

 

Hope this helps explain. Currently I have LAN -> WAN policy that is blocking all traffic destined for the DNS service. This is stopping all devices on the network that do not use the DHCP provided dns server on 192.168.0.5 from being able to resolve. 

 

This is desired and I simply want to further this and forward/redirect all that traffic to 192.168.0.5 so that it can resolve the requests and answer the hard coded devices. Reminder that the devices in question are chromecasts and Alexa devices which I am unable to hard code with my own dns server. 

 

Thanks

 

bosco_rsa_0-1660648165430.png

I agree that I would need another policy above the existing block policy but please could you give me some inspiration as I have tried this previously and it didn't work at all. 

 

bosco_rsa_0-1660659135274.png

 

Thanks

 

 

 

bosco_rsa
New Contributor

So a compelling reason to resolve this issue is that I have found that certain apps on my Google TV stop working if they are unable to directly query their hard coded DNS servers. BBC iPlayer as an example will not work if I block port 53 dns queries from leaving my network!!!

 

I find this annoying and just poor on the part of the developers of the applications and devices. Its clear they use the information for more than just resoving DNS otherwise they would not go to all the trouble of ensuring that their devices only work with hard coded DNS servers.

 

Now the thing is I had this all working on my Edgerouter X and I really would like it to be able to work on my Fortigate 30E. It should be able to right??

 

I just want to redirect DNS traffic to an internal server and allow it to return the results. 

techrobo84

Hello @bosco_rsa, was this resolved? i guess one way to trick those devices with hardcoded DNS would be to create a loopback address on the pihole with 8.8.8.8 or 1.1.1.1 and so on. make sure it listens for dns service on those lo. Then create a route in the fg to point to the pihole lan ip and allow those specific devices to access the loopback

gfleming

You can *might* be able to accomplish this using VIPs to redirect DNS queries to your internal PiHole.

 

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/510402/static-virtual-ips

 

Create a VIP attached to your LAN interface with the public DNS address in the "External IP address range" field. And Map it to your pihole DNS address. Not 100% sure this will work but worth a shot.

 

The other reply about sticking those IPs on the pihole is good too.

 

Cheers,
Graham
Labels
Top Kudoed Authors