DNS Server and local domain
I have a hub-and-spoke topology, 25 remote sites with site VPNs.
I want to leverage DNS Server on the FGT 60D units to respond to client DNS queries.. putting less dependence on the main site and that VPN for resolution. Some sites have RODCs (Windows), others do not. Thus, some have an option for split-DNS to a local host, but others rely on a full DC back at the main site. I also want to leave the System DNS set to FortiGuard and do want external lookups to use that.
Can I add my local interfaces to forward to System DNS (which in turn are the FortiGuard DNS servers), "and" either have normal forwarding for the local domain to either the local server or a remote server over the VPN? Or, better, can I have a zone transfer as a secondary?
I haven't seen a config example which will do "all of that" yet.
I'm having mixed results trying to get something configured myself. Last was an AXFR from my remote DC caught on WireShark and a long list of cached info.. but nslookups from a local client return non-existent domain. nslookup was run against the interface address (a VLAN off of internal).
And, of course, I can nslookup a domain host from that remote DNS host just fine.. so the VPN/route is fine.
Can it be done?