Is it possible to redirect all DNS traffic to a particular external provier

Author
Scott Thomson
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/03/03 08:16:41
  • Status: offline
2018/02/09 13:04:47 (permalink)
0

Is it possible to redirect all DNS traffic to a particular external provier

I know I can DENY all outbound DNS traffic to port 53 tcp/udp and then just add an allow for our vendor's DNS servers. However, my vendor recommends redirecting all DNS traffic - which does sound like a more elegant solution if the FortiOS can handle it.
 
Does anyone have any suggestions on how the following might be done on a Fortigate? If relevant, we run a mix of 5.2/5.4, primarily the FG-60 series (D,E).
 
Snippet from my vendor's docs (DNSFilter):

Using iptables, the most common firewall on Linux systems, the rules in a config file look like this:
*nat
:PREROUTING ACCEPT [2:143]
:INPUT ACCEPT [2:143]
:OUTPUT ACCEPT [0:0]<br>:POSTROUTING ACCEPT [2:134]
-A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 103.247.36.36:53
-A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 103.247.36.36:53

Or, using the command line to add the rules: 
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 103.247.36.36:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 103.247.36.36:53


Thanks!
#1

1 Reply Related Threads

    jvanderzee
    New Member
    • Total Posts : 12
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/16 15:40:46
    • Status: offline
    Re: Is it possible to redirect all DNS traffic to a particular external provier 2018/09/06 12:06:21 (permalink)
    0
    Scott, this is possible with a VIP.  All DNS traffic destined for any external IP is remapped to a single DNS server you define, seamless to the user.  See the config below to get this to work.  This was tested on 6.0.2 and 5.6.x, you will have to test on your older firewall firmware revisions.  Just swap out my interface names with the ones you utilize.  I believe you can adjust the VIP extinf setting to "any" if you need to apply the VIP policy to multiple internal interfaces.
     
    config system interface
        edit "wifi-tunnel"
            set vdom "root"
            set ip 10.66.66.254 255.255.255.0
        next
    end
    config firewall vip
        edit "dns-vip"
            set type load-balance
            set src-filter "10.66.66.0/24"
            set extip 0.0.0.0-239.255.255.255
            set extintf "wifi-tunnel"
            set service "DNS"
            set arp-reply disable
            set mappedip "4.2.2.2"
        next
    end
    config firewall policy
        edit 9
            set srcintf "wifi-tunnel"
            set dstintf "wan1"
            set srcaddr "internal-net"
            set dstaddr "dns-vip"
            set action accept
            set schedule "always"
            set service "DNS"
            set nat enable
        next
        edit 8
            set srcintf "wifi-tunnel"
            set dstintf "wan1"
            set srcaddr "internal-net"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
     
    #2
    Jump to:
    © 2021 APG vNext Commercial Version 5.5