I currently have a setup with our Domain Controller's DNS Server which forwards all external queries to a FortiGate 60C. To allow network computers to lookup each other, I have assigned the DNS server for our internal network interface to point to the DNS Server which sits on our Domain Controller. Hence, all connected machines will use the Domain Controller's Internal DNS initially to find network resources and on the instance it can't for external resources, it forwards all requests to FortiGate to query the ISP DNS servers.
For expansion purposes, I am looking at placing a Domain Controller at branch offices which are currently segmented by different subnet zones i.e.
Main Office DNS Zone = 10.0.0.0
Branch Office 1# DNS Zone 10.0.30.0
Branch Office 2# DNS Zone = 10.0.70.0
Each office is linked together via IPSec Tunnels hence, resources are visible to one another despite being on different locations. Given that Domain Controllers require DNS to work, I was wondering if there was a way to specify fallback/multiple Internal DNS lookup servers for network interfaces? I.e. Main office Domain Controller server goes down due to unexpected failure or maintenance, all traffic is routed to one of the two branch offices Servers.
Thanks for your input on this matter. I've had a look at the Virtual Server/Load Balancing function of FortiOS (not supported on ours since we run FortiOS 2.5.7, Virtual Servers need FortiOS 2.5.8+ it seems) and it looks promising. I'd ideally like to try playing with this but I need to do some more research first.
Using FortiGate Virtual Servers, would it be possible theoretically to configure the said virtual server to link to multiple real servers and then set that as the internal DNS server for the interfaces at each office? On an unrelated topic, I see that there are VMs available for testing, we don't have VMWare but is it possible to install FortiOS on virtual box for a lab environment?
Though i didn't try it, i believe it's possible. After creating the virtual servers, you'd modify the DHCP server for each interface and pass the vs IP as a DNS server. I already have a lab setup here in my notebook, i'll give it a try today if i can.
About VirtualBox, i dont kow and i barely used it. My lab is running on VMWare Workstation, but if you find a way to convert the vmdk (disk) file it should work.
Another option is to download vmware workstation as a trial, or just use the free esxi server.
Anyway, i'll try to do the test myself, cross your fingers.
config firewall ldb-monitor edit "DNS_TCP_HC" set type tcp set port 53 next end config firewall vip edit "DNS" set type server-load-balance set extip 172.25.0.254 set extintf "any" set server-type udp set monitor "DNS_TCP_HC" set ldb-method least-rtt set extport 53 config realservers edit 1 set ip 172.25.0.10 set port 53 next edit 2 set ip 188.8.131.52 set port 53 next edit 3 set ip 172.25.0.253 set port 53 next end next end
Thanks again very much for the help. I've got around to setting up the FGT VM on a VMWare free trial. I've spent a fair amount of time trying to get it up on VirtualBox and gotten to the point where the VM is loaded, but it doesn't seem that the kernel will boot for VirtualBox probably due to differing virtualization protocols implemented. In proceeding forwards, I've configured a simple virtual environment of one domain controller and one client connected to the FGT VM.
I've used 2 port interfaces (Port 1 = external/internet, Port 2 = internal), one for internet/external access and the second for internal access by the VM client/server I've attached. The server forwards it's DNS requests to the FGT VM, which is then configured with it standard FGT DNS servers and a policy to route external traffic through Port 1. I've tested the setup without specifying the Internal DNS to my domain controller as per my production setup and the domain lookup checks out.
When I do introduce a virtual server with a single real server as my domain controller however, I've noticed that pings from my clients failed to ping/see the virtual server, but I can ping it just fine from the FGT device. My attempts to resolve the internal domain from the client using the virtual server DNS have all failed hence, I'm wasn't sure if there are any firewall rules/policies I would need to configure for the virtual server to be accessible from the internal interface.
After a little tinkering in consultation to the manual and sacrifices of coffee to the networking gods, I was able to get it to work by adding a firewall policy which allowed internal DNS traffic to go through to the virtual server. From here, query lookups seemed to work fine unless I had disabled the real server within the Load Balancing settings.
All pings from the client to the virtual server however still fails probably due to the virtual server being set not to respond. I'm not entirely sure whether this is the right approach but I hope this also helps anyone who's in the same shoes as I am. The challenge now is to somehow allow inter-site queries of the DNS servers through the virtual server. I'm not able to for some reason get the FGT devices to ping inter-site clients yet. If anyone else has any additional input or advice on this it'd be greatly appreciated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.