Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TechSupport4415
New Contributor

Resolving internal hostnames - what is the BEST PRACTICE for DNS settings - Fortigate 60E

Hello,

        I would like to resolve internal hostnames on my network, and I read on this Forums that it would suffice to set your internal DNS as the primary DNS server on the Fortigate unit in network configuration.

 

BUT, I would also like to have the Fortigate be the first DNS uplink for my internal DNS server, so I could use Fortiguard DNS servers to monitor and block bad hosts (malware, C&C, etc) out there.

 

So, what would be the recommended practice to having both internal hostnames correctly resolved AND funnel all DNS traffic through Fortinet DNS service (assuming there actually is a way to do this)?

 

PLAN B: is there a way to pre-load all my internal hostnames (a la \windows\system32\drivers\etc\hosts) on my Fortigate unit? Is there an editable HOSTS file of some sort?

 

2 Solutions
ede_pfau
Esteemed Contributor III

hi,

 

and welcome to the forums.

To make it short, I shamelessly cite from my recent post on stackexchange.com (https://networkengineering.stackexchange.com/questions/45399/fortigate-50e-conditional-forwarding/:(

----------------------------- For local name resolution you need to set up 3 things: 1- a DNS zone 2- at least one A record in that zone 3- a DNS on the interface where your internal hosts are A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in config system dns-database:


config system dns-database
    edit "MyCompanyZone"
        set status enable
        set domain "mycompany.local"
        set type master
        set view shadow
        set ttl 14400
        set authoritative enable
        config dns-entry
            edit 1
                set status enable
                set type A
                set ttl 0
                set hostname "namea"
                set ip 192.168.234.10
            next
            edit 2
                set status enable
                set type A
            ...
         end
      next
   end
end
This zone only holds records for your private hosts and thus it must be 'authoritative'! Next, the record(s). They are created in the config dns-entry section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate. Then you set up a DNS for your hosts to use, here on the 'lan' interface:

config system dns-server
    edit "lan"
        set mode recursive
    next
end

# explanation for the mode parameter:  
# set mode
recursive        Shadow DNS database and forward.
non-recursive    Public DNS database only.
forward-only     Forward only.
As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS. Now you can resolve a local hostname like 'namea.mycompany.local'. At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask. -----------------------------

 

This is setting up your FGT as your local DNS. If you want to continue to use your (? Windows) DNS just create a recursive DNS on the 'lan' interface, and specify your FGT's LAN address as the forwarding target of your local DNS. Set the FGT system DNS to one of the FortiGuard servers.

 

There are pros and cons with the FGT nameserver. Pro: centralized management, easy to maintain, no need to run a dedicated DNS on the LAN. Contra: no dynamic DNS entries, reverse lookup zone takes some nifty configuration, no import of host file. YMMV.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

Hopping on the back of the prior answer, I have written a couple of scripts to convert Windows and BIND DNS zone files to Fortigate importable data. I do not plan on doing that for a host file. Not enough bang for the buck. Follow the link in my signature if you are interested in the zone file option.

 

Bob

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
8 REPLIES 8
ede_pfau
Esteemed Contributor III

hi,

 

and welcome to the forums.

To make it short, I shamelessly cite from my recent post on stackexchange.com (https://networkengineering.stackexchange.com/questions/45399/fortigate-50e-conditional-forwarding/:(

----------------------------- For local name resolution you need to set up 3 things: 1- a DNS zone 2- at least one A record in that zone 3- a DNS on the interface where your internal hosts are A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in config system dns-database:


config system dns-database
    edit "MyCompanyZone"
        set status enable
        set domain "mycompany.local"
        set type master
        set view shadow
        set ttl 14400
        set authoritative enable
        config dns-entry
            edit 1
                set status enable
                set type A
                set ttl 0
                set hostname "namea"
                set ip 192.168.234.10
            next
            edit 2
                set status enable
                set type A
            ...
         end
      next
   end
end
This zone only holds records for your private hosts and thus it must be 'authoritative'! Next, the record(s). They are created in the config dns-entry section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate. Then you set up a DNS for your hosts to use, here on the 'lan' interface:

config system dns-server
    edit "lan"
        set mode recursive
    next
end

# explanation for the mode parameter:  
# set mode
recursive        Shadow DNS database and forward.
non-recursive    Public DNS database only.
forward-only     Forward only.
As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS. Now you can resolve a local hostname like 'namea.mycompany.local'. At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask. -----------------------------

 

This is setting up your FGT as your local DNS. If you want to continue to use your (? Windows) DNS just create a recursive DNS on the 'lan' interface, and specify your FGT's LAN address as the forwarding target of your local DNS. Set the FGT system DNS to one of the FortiGuard servers.

 

There are pros and cons with the FGT nameserver. Pro: centralized management, easy to maintain, no need to run a dedicated DNS on the LAN. Contra: no dynamic DNS entries, reverse lookup zone takes some nifty configuration, no import of host file. YMMV.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

Hopping on the back of the prior answer, I have written a couple of scripts to convert Windows and BIND DNS zone files to Fortigate importable data. I do not plan on doing that for a host file. Not enough bang for the buck. Follow the link in my signature if you are interested in the zone file option.

 

Bob

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
TechSupport4415

Thanks for your quick and insightful reply. Plenty of detailed information about local DNS management here - although I wish to keep my current DNS server active, as it's also a Domain Controller and I need it.

 

I already forwarded my DNS requests from my DNS server (Windows 2016) to the Fortigate, and I can see DNS queries coming from that Win machine and going out.

 

In the meantime I had a look at the FortiView section of the firewall, and to my great surprise, it looks like local names are being resolved, there - I don't know how this is possible, as the FGT itself is pointed to "Fortiguard Servers" (external, public IPs) for its name resolution needs.

 

When I see or download a report from FortiCloud, instead, all I can see are the local IPs, never the hostname.

 

So, it appears as the FGT 60E has a way to resolve hostnames of its own, even if not pointed to the local DNS server, but is not able to pass this information up to FortiCloud, where it could greatly enhance the clarity of reports.

 

Anybody using FortiCloud reports can confirm or deny that local hostnames are actually resolved there, and if yes, with which DNS configuration this result is being obtained? Thanks

 

ede_pfau
Esteemed Contributor III

So, clients should ask the WinSrv, the WinSrv should forward to the ISP (not! the FGT), FGT system DNS should be the WinSrv. No FGT DNS server on the LAN port.

This way, the only authoritative NS for the local domain is the WinSrv, for both clients and the FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
TechSupport4415

That could maybe do... but, are we loosing the DNS filtering capabilities of the Fortigate unit, if we configure it this way?

 

Or, is DNS filtering / blocking implemented elsewhere, and the FGT does not need to forward all DNS traffic to Fortinet servers via its own DNS configuration (i.e. "Fortiguard Servers" label in the DNS configuration section) to analyze it? (see attached image)

 

 

Juquinha

TechSupport4415 wrote:

That could maybe do... but, are we loosing the DNS filtering capabilities of the Fortigate unit, if we configure it this way?

 

Or, is DNS filtering / blocking implemented elsewhere, and the FGT does not need to forward all DNS traffic to Fortinet servers via its own DNS configuration (i.e. "Fortiguard Servers" label in the DNS configuration section) to analyze it? (see attached image)

 

 

I would like to know, as well, if in this scenario we would loose the DNS filter feature.

 

Plus that, I would like to know if there is a way to use a conditional forwarding for the queries for the Fortigate itself.

Example: Create a policy where destination is a FQDN address like host.myinternaldomain.abc. For those queries (and in this case, the request from the Fortigate to resolve this hostname and then decide to permit the traffic), use my internal domain instead of public ones.

Yurisk
Valued Contributor

For DNS filtering to work, Fortigate has to see both - query for the DNS record, and answer to it. Which way and who does it is not of interest to Fortigate. If client in LAN queries internal DC as DNS, which in turn goes to ISP/Google DNS and queries on behalf of LAN's client, the FGT would see this query (yes, coming from DC) and if found bad, would replace in the answer IP with the IP of the Fortiguard, then pass this answer to the DC. So, it would still work (DNS filtering) just fine.

BTW Leftovers from older FGT versions (like 4.0?) that you had to have Fortiguard DNS servers set for the FGT itself for FNS filtering to work - not any more. Today you can set both, for LAN clients and FGT itself ANY dns you like, the DNS filtering will work just fine.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Juquinha

Yurisk wrote:

For DNS filtering to work, Fortigate has to see both - query for the DNS record, and answer to it. Which way and who does it is not of interest to Fortigate. If client in LAN queries internal DC as DNS, which in turn goes to ISP/Google DNS and queries on behalf of LAN's client, the FGT would see this query (yes, coming from DC) and if found bad, would replace in the answer IP with the IP of the Fortiguard, then pass this answer to the DC. So, it would still work (DNS filtering) just fine.

BTW Leftovers from older FGT versions (like 4.0?) that you had to have Fortiguard DNS servers set for the FGT itself for FNS filtering to work - not any more. Today you can set both, for LAN clients and FGT itself ANY dns you like, the DNS filtering will work just fine.

 

Hi, Yurisk!

 

Thanks for your reply. Following what you explained, I would need only to use the DNS Filter profile on the policies that permits my internal DNS servers to go to the public DNS servers. That, at least, would prevent my malicious internal queries to be resolved in a bad way. At least in a simply scenario.

 

The best practice should be to filter this queries before the client reaches the internal DNS server, I think.

Labels
Top Kudoed Authors