Helpful ReplyResolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 60E

Author
TechSupport4415
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/02 07:03:19
  • Status: offline
2017/11/04 01:52:12 (permalink) 5.6
0

Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 60E

Hello,
        I would like to resolve internal hostnames on my network, and I read on this Forums that it would suffice to set your internal DNS as the primary DNS server on the Fortigate unit in network configuration.
 
BUT, I would also like to have the Fortigate be the first DNS uplink for my internal DNS server, so I could use Fortiguard DNS servers to monitor and block bad hosts (malware, C&C, etc) out there.
 
So, what would be the recommended practice to having both internal hostnames correctly resolved AND funnel all DNS traffic through Fortinet DNS service (assuming there actually is a way to do this)?
 
PLAN B: is there a way to pre-load all my internal hostnames (a la \windows\system32\drivers\etc\hosts) on my Fortigate unit? Is there an editable HOSTS file of some sort?
 
#1
ede_pfau
Expert Member
  • Total Posts : 5721
  • Scores: 387
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 2017/11/05 10:02:55 (permalink) ☄ Helpfulby bellwood 2018/05/29 18:30:17
5 (1)
hi,
 
and welcome to the forums.
To make it short, I shamelessly cite from my recent post on stackexchange.com (https://networkengineering.stackexchange.com/questions/45399/fortigate-50e-conditional-forwarding/):

-----------------------------
For local name resolution you need to set up 3 things:
1- a DNS zone
2- at least one A record in that zone
3- a DNS on the interface where your internal hosts are

A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in config system dns-database:

config system dns-database
    edit "MyCompanyZone"
        set status enable
        set domain "mycompany.local"
        set type master
        set view shadow
        set ttl 14400
        set authoritative enable
        config dns-entry
            edit 1
                set status enable
                set type A
                set ttl 0
                set hostname "namea"
                set ip 192.168.234.10
            next
            edit 2
                set status enable
                set type A
            ...
         end
      next
   end
end


This zone only holds records for your private hosts and thus it must be 'authoritative'!
Next, the record(s). They are created in the config dns-entry section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate.

Then you set up a DNS for your hosts to use, here on the 'lan' interface:

config system dns-server
    edit "lan"
        set mode recursive
    next
end

# explanation for the mode parameter:  
# set mode
recursive        Shadow DNS database and forward.
non-recursive    Public DNS database only.
forward-only     Forward only.

As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS.

Now you can resolve a local hostname like 'namea.mycompany.local'.

At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask.
-----------------------------
 
This is setting up your FGT as your local DNS. If you want to continue to use your (? Windows) DNS just create a recursive DNS on the 'lan' interface, and specify your FGT's LAN address as the forwarding target of your local DNS. Set the FGT system DNS to one of the FortiGuard servers.
 
There are pros and cons with the FGT nameserver. Pro: centralized management, easy to maintain, no need to run a dedicated DNS on the LAN. Contra: no dynamic DNS entries, reverse lookup zone takes some nifty configuration, no import of host file. YMMV.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
rwpatterson
Expert Member
  • Total Posts : 8299
  • Scores: 181
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 2017/11/05 12:21:05 (permalink)
0
Hopping on the back of the prior answer, I have written a couple of scripts to convert Windows and BIND DNS zone files to Fortigate importable data. I do not plan on doing that for a host file. Not enough bang for the buck. Follow the link in my signature if you are interested in the zone file option.
 
Bob

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#3
TechSupport4415
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/02 07:03:19
  • Status: offline
Re: Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 2017/11/06 05:18:43 (permalink)
0
Thanks for your quick and insightful reply. Plenty of detailed information about local DNS management here - although I wish to keep my current DNS server active, as it's also a Domain Controller and I need it.
 
I already forwarded my DNS requests from my DNS server (Windows 2016) to the Fortigate, and I can see DNS queries coming from that Win machine and going out.
 
In the meantime I had a look at the FortiView section of the firewall, and to my great surprise, it looks like local names are being resolved, there - I don't know how this is possible, as the FGT itself is pointed to "Fortiguard Servers" (external, public IPs) for its name resolution needs.
 
When I see or download a report from FortiCloud, instead, all I can see are the local IPs, never the hostname.
 
So, it appears as the FGT 60E has a way to resolve hostnames of its own, even if not pointed to the local DNS server, but is not able to pass this information up to FortiCloud, where it could greatly enhance the clarity of reports.
 
Anybody using FortiCloud reports can confirm or deny that local hostnames are actually resolved there, and if yes, with which DNS configuration this result is being obtained? Thanks
 
#4
ede_pfau
Expert Member
  • Total Posts : 5721
  • Scores: 387
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 2017/11/06 06:38:23 (permalink)
0
So, clients should ask the WinSrv, the WinSrv should forward to the ISP (not! the FGT), FGT system DNS should be the WinSrv. No FGT DNS server on the LAN port.
This way, the only authoritative NS for the local domain is the WinSrv, for both clients and the FGT.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
TechSupport4415
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/02 07:03:19
  • Status: offline
Re: Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 2017/11/06 06:52:56 (permalink)
0
That could maybe do... but, are we loosing the DNS filtering capabilities of the Fortigate unit, if we configure it this way?
 
Or, is DNS filtering / blocking implemented elsewhere, and the FGT does not need to forward all DNS traffic to Fortinet servers via its own DNS configuration (i.e. "Fortiguard Servers" label in the DNS configuration section) to analyze it? (see attached image)
 
 

Attached Image(s)

#6
Jump to:
© 2018 APG vNext Commercial Version 5.5