Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Fortigate DNS with domain DNS correct configuration

Hello,

How fortigate DNS setting should be configured when there is a central AD DNS server in network, all pc computers get DNS from AD DNS server, so I configured Fortigate DSN to point to AD DNS server, and on domain DNS server I configured forwarder to 8.8.8.8 - it this good?

I thought to configure in different way, I mean, point AD DNS forwarder to Fortigate IP, and on Fortigate DNS set any public DNS servers, but I couldn't configure it, I had not internet. I don't know how to configure ipv4 policy from AD DNS server to Fortigate itself, and without that as I said my all computers did not have internet access.

Please advice me, thanks.

2 Solutions
MikePruett

I would personally make FortiGates (and any other devices that require DNS) to utilize internal DNS Servers. Let those internal DNS servers then forward out to Google, Cloudflare, or whatever external DNS service of your choice.

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
TecnetRuss

I agree with Mike that it's generally better to point your FortiGate at your internal AD/DNS (under Network > DNS) so that internal names resolve properly.  That's the simplest, lowest maintenance solution.

 

For example if the service you're looking to use is LDAP authentication for SSL-VPN, while you can technically get up and running just using an IP address for insecure LDAP, you should really be using secure LDAPS and server verification which relies on correctly configured internal name resolution and certificates (imported from your AD CA): https://www.fortiguard.com/psirt/FG-IR-19-037

 

Tip: if you're having trouble getting network drives mapped for VPN clients and they can't ping servers by their short names, make sure you've got your internal DNS suffix set in your VPN config: For SSL-VPN: set dns-suffix = <internal domain suffix e.g. domain.local or int.domain.com>

For IPSec VPN:

set domain = <internal domain suffix e.g. domain.local or int.domain.com>

 

Russ

NSE7

View solution in original post

9 REPLIES 9
Yurisk
Valued Contributor

Settings vary according to the  network needs and requirements. Most frequent set up is local hosts are pointed to AD as DNS, while Fortigate has Google/Fortiguard/Local ISP as DNS servers, Security Policy allows just AD to go out on DNS ports. 

The set-ups you tried seem to me overly complex without any benefit to the network or users. 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Tutek_OLD

OK, in your first suggestion you set then as Forwardes in AD DNS any public DNS service, like Google or Cloudflare?

But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.

Yurisk
Valued Contributor

Tutek wrote:

But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.

One of the reasons NOT to use internal names of the resources in a firewall - use IP addresses only. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Tutek_OLD

but I have to, I have services which working only on domain name. And I don't know how to resolve this issue.

MikePruett

I would personally make FortiGates (and any other devices that require DNS) to utilize internal DNS Servers. Let those internal DNS servers then forward out to Google, Cloudflare, or whatever external DNS service of your choice.

Mike Pruett Fortinet GURU | Fortinet Training Videos
BlueDolfin

That would be a good idea if your DNS servers are not behind an IPsec connection.  In my case, branches contact HQ via IPsec for HQ local domain resources like an intranet. They need access to the internet if the IPsec goes down for some reason. So you would need split DNS, which fortigate does not seem to support in a easy way like other firewalls/routers.

Yurisk
Valued Contributor

Tutek wrote:

but I have to, I have services which working only on domain name. And I don't know how to resolve this issue.

What services for example? 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
TecnetRuss

I agree with Mike that it's generally better to point your FortiGate at your internal AD/DNS (under Network > DNS) so that internal names resolve properly.  That's the simplest, lowest maintenance solution.

 

For example if the service you're looking to use is LDAP authentication for SSL-VPN, while you can technically get up and running just using an IP address for insecure LDAP, you should really be using secure LDAPS and server verification which relies on correctly configured internal name resolution and certificates (imported from your AD CA): https://www.fortiguard.com/psirt/FG-IR-19-037

 

Tip: if you're having trouble getting network drives mapped for VPN clients and they can't ping servers by their short names, make sure you've got your internal DNS suffix set in your VPN config: For SSL-VPN: set dns-suffix = <internal domain suffix e.g. domain.local or int.domain.com>

For IPSec VPN:

set domain = <internal domain suffix e.g. domain.local or int.domain.com>

 

Russ

NSE7

marchand
New Contributor III

Tutek wrote:

OK, in your first suggestion you set then as Forwardes in AD DNS any public DNS service, like Google or Cloudflare?

But what in case when Fortigate need to resolve internal domain hostnames, like email servers, or sms gateways, with you first suggestion internal domain hostnames won't be resolved.

See if it works for you

 

(dns-database) # show config system dns-database     edit "internal"         set domain "demo.local"         config dns-entry             edit 2                 set type MX                 set hostname "mail"             next             edit 3                 set hostname "mail"                 set ip 192.168.80.10             next             edit 4                 set hostname "www"                 set ip 192.168.80.11             next         end         set contact "root@demo.local"     next end

Labels
Top Kudoed Authors