Is it possible to redirect all DNS traffic to a particular external provier
I know I can DENY all outbound DNS traffic to port 53 tcp/udp and then just add an allow for our vendor's DNS servers. However, my vendor recommends redirecting all DNS traffic - which does sound like a more elegant solution if the FortiOS can handle it.
Does anyone have any suggestions on how the following might be done on a Fortigate? If relevant, we run a mix of 5.2/5.4, primarily the FG-60 series (D,E).
Snippet from my vendor's docs (DNSFilter):
Using iptables, the most common firewall on Linux systems, the rules in a config file look like this:
:PREROUTING ACCEPT [2:143]
:INPUT ACCEPT [2:143]
:OUTPUT ACCEPT [0:0]<br>:POSTROUTING ACCEPT [2:134]
-A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 184.108.40.206:53
-A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 220.127.116.11:53
Or, using the command line to add the rules:
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 18.104.22.168:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 22.214.171.124:53