I have a pihole server on my network that is responsible for all DNS and DHCP. The pihole is configured to use cloudflared DoH for added security.
I have added a lan-wan policy on my fortigate 30E that blocks all DNS udp/53 requests to the internet. This is working well but I have a number of devices on my network (chromecasts, amazon plugs, jvc tvs) that simply do not honor the DHCP issued dns servers and seem to be hard coded to use 220.127.116.11 and 18.104.22.168.
Prior to getting the fortigate I used to have a ubiquiti edgerouter x. On this device I had what they called a DNAT policy which used to capture all dns queries heading for the wan interface and redirect them to my internal pihole server. the pihole would then resolve them via DoH and respond via the router to the devices.
I am really stuck trying to replicate this on the Fortigate. I have tried a number of things like the VIP objects and policies but I cannot get this to replicate what I had before.
Thanks for reaching Fortinet Community. Would it be possible to attached the network diagram, so that we can better understand where the internal users and the server are connected to the FortiGate.
For now from the above description, I would assume you are wanting the FortiGate to forward all internal traffic (DNS traffic) heading to wan interface take a different route and reach your internal server that is on one of the other interfaces of the FortiGate. Ideally to achieve this we would need a policy right above the lan-wan policy that is actually being used now to route DNS traffic and the policy needs to have the interface on which the pihole server is connected as the destination.
Hope this helps explain. Currently I have LAN -> WAN policy that is blocking all traffic destined for the DNS service. This is stopping all devices on the network that do not use the DHCP provided dns server on 192.168.0.5 from being able to resolve.
This is desired and I simply want to further this and forward/redirect all that traffic to 192.168.0.5 so that it can resolve the requests and answer the hard coded devices. Reminder that the devices in question are chromecasts and Alexa devices which I am unable to hard code with my own dns server.
I agree that I would need another policy above the existing block policy but please could you give me some inspiration as I have tried this previously and it didn't work at all.
So a compelling reason to resolve this issue is that I have found that certain apps on my Google TV stop working if they are unable to directly query their hard coded DNS servers. BBC iPlayer as an example will not work if I block port 53 dns queries from leaving my network!!!
I find this annoying and just poor on the part of the developers of the applications and devices. Its clear they use the information for more than just resoving DNS otherwise they would not go to all the trouble of ensuring that their devices only work with hard coded DNS servers.
Now the thing is I had this all working on my Edgerouter X and I really would like it to be able to work on my Fortigate 30E. It should be able to right??
I just want to redirect DNS traffic to an internal server and allow it to return the results.
Hello @bosco_rsa, was this resolved? i guess one way to trick those devices with hardcoded DNS would be to create a loopback address on the pihole with 22.214.171.124 or 126.96.36.199 and so on. make sure it listens for dns service on those lo. Then create a route in the fg to point to the pihole lan ip and allow those specific devices to access the loopback
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.