Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
keenenick
New Contributor

Redirect Google DNS

Hi all,

 

I know this is a fairly common question on this forum but I haven't as of yet come across a definitive answer that works for me. I am hoping someone with more knowledge and experience can assist me.

 

My environment is as follows:

Fortiwifi 60E - 6.0.3 in Flow-based with profile-based in the settings.

I have a number of devices with hardcoded DNS servers.

 

I would like to be able to redirect DNS requests to my own internal DNS servers. I would particularly like to redirect requests to Googles DNS servers to ones of my own chosing. I have previously managed to do this with the a pfSense firewall, Untangle NGFW as well as Mikrotiks and Ubiquiti Routers. I can't seem to figure it out with FortiOS. The way I would typically achieve this is destination NATing (similar to port forwarding) but this doesn't work as expected in FortiOS.

 

I have tried the following forum suggestions as well:

https://forum.fortinet.co...&high=redirect+dns

https://forum.fortinet.co...&high=redirect+dns

 

I am quite new to Fortigate devices and they way of doing things and would appreciate any help offered. Preferably explained as simply as possible.

 

Thanks again.

 

Nick

 

 

1 Solution
ede_pfau
Esteemed Contributor III

For traffic from LAN a simple VIP should do.

Create a 'Virtual IP', with 'external addr' as 8.8.8.8, and 'mapped to' some other DNS on the 'net. Interface is 'internal'.

Then create a policy from 'internal' to 'wan', from 'address of internal LAN' to that VIP (use the VIP, not an ordinary address object!). Set service to 'DNS' (and maybe 'PING' as well). Check 'NAT' ! as this is an outbound policy.

 

This will redirect all requests to Google DNS to the other DNS.

 

This will only work if the replacement server is found on the same interface as Google DNS, i.e. on the WAN side. If you want to redirect to a different interface ('internal' or 'dmz') then you will have to use a Policy Route plus VIP. Frankly, I haven't tested yet if that is possible.

If you cannot specify the destination address in the PR then have a look at the Central NAT table (feature needs to be enabled first). Using this table you can NAT (DNAT in this case) without working on single policies.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
blackhole_route
New Contributor III

If I understand what you want to do correctly, I haven't yet found a way to configure the Fortigate to do this.

 

It sounds like what you want to do is match traffic that is initiated from inside your network that is destined to any destination ip with a dest port of udp/53, and d-nat that traffic to a destination IP address of your choosing on udp/53.

 

If this is achievable, I am most interested, more for ntp than DNS, but the same use case in principle.

ede_pfau
Esteemed Contributor III

For traffic from LAN a simple VIP should do.

Create a 'Virtual IP', with 'external addr' as 8.8.8.8, and 'mapped to' some other DNS on the 'net. Interface is 'internal'.

Then create a policy from 'internal' to 'wan', from 'address of internal LAN' to that VIP (use the VIP, not an ordinary address object!). Set service to 'DNS' (and maybe 'PING' as well). Check 'NAT' ! as this is an outbound policy.

 

This will redirect all requests to Google DNS to the other DNS.

 

This will only work if the replacement server is found on the same interface as Google DNS, i.e. on the WAN side. If you want to redirect to a different interface ('internal' or 'dmz') then you will have to use a Policy Route plus VIP. Frankly, I haven't tested yet if that is possible.

If you cannot specify the destination address in the PR then have a look at the Central NAT table (feature needs to be enabled first). Using this table you can NAT (DNAT in this case) without working on single policies.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
blackhole_route

Thanks Ede - this can take care of the larger/well known instance (such as 8.8.8.8). And, in my testing, the policy route is not needed - at least with central nat table enabled.

 

I have tested with and without central nat table (we use central snat more than traditional vip configuration), and again this evening, I cannot find a way to configure a vip in central nat table where I need to match on any destination ip, specific protocol and port, dnat'ing to a specific IP and same destination port. In all the configurations I've tried, I have not been able to get a match on the VIP in daig debug flow.

 

To explain a bit further, the scenario is to redirect all ntp and dns queries to our own internal servers providing those functions. So, for example, we can provide the required service needed by inflexibly designed products that have hard coded ntp and dns settings (yes, I mean Google Chromebooks and Meraki devices for example), without having to open up access to chunks of internet address space.

 

Edited to add: the following is what I think logically could work, but the flow doesn't match the VIP.

config firewall vip
    edit "ntp-dnat"
        set id 10
        set uuid e53dca1a-d705-51e7-6fc6-e9eb1ee757c6
        set comment ''
        set type static-nat
        set extip 0.0.0.0
        set extintf "trust-lan"
        set arp-reply disable
        set nat-source-vip disable
        set portforward enable
        set gratuitous-arp-interval 0
        set color 0
        set mappedip "192.168.105.14"
        set protocol udp
        set extport 123
        set mappedport 123
        set portmapping-type m-to-n
    next
end

tanr
Valued Contributor II

Ede, policy route based on destination ports would let you redirect regardless of the destination IP, but is Central NAT the only way to handle it?  I'm imagining some sort of wildcard VIP, but that probably doesn't exist.

keenenick

Thank you Ede,

 

I will try your suggestion and feelback. I would like to ask are there any performance or security implications of central NAT. It seems to work much like standard NAT tables I have dealt with. I have noticed that my port forwards are faster but my voip latency is not as great with central NAT enabled. Although this could be all coincidental. I would be interested to know why the NAT is configured in the way fortigate does it.

 

Anyway thank you again.

Labels
Top Kudoed Authors