Hot!Fortigate as DNS server

Author
TheUsD
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/14 05:08:36
  • Status: offline
2020/10/10 08:10:13 (permalink)
0

Fortigate as DNS server

Is it possible to make the following happen on a FortiGate?
DNS 10.16.0.1 would be an internal DNS server on the Fortigate 80F. Clients would be able to resolve other local clients using the Fortigate. If the DNS is a public DNS, then the FortiGate would use Fortiguard DNS servers to resolve. I've had this setup before on other devices such as Ubiquiti (EdgeRouters), SonicWalls, NetGear devices but for some reason the only documentation I can find is if I want to point my clients to an internal Windows/Linux DNS server.


Thanks in advance
post edited by TheUsD - 2020/10/10 08:13:19

Attached Image(s)

#1

4 Replies Related Threads

    lobstercreed
    Platinum Member
    • Total Posts : 315
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Fortigate as DNS server 2020/10/10 15:45:46 (permalink)
    0
    I've never done it, but I'm pretty sure it's possible.  Have you checked out this cookbook?
     
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server
     
    #2
    TheUsD
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/14 05:08:36
    • Status: offline
    Re: Fortigate as DNS server 2020/10/10 16:17:08 (permalink)
    0
    lobstercreed
    I've never done it, but I'm pretty sure it's possible.  Have you checked out this cookbook?
     
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server
     




    So I should have followed up with this sooner...I ended up just calling support and getting their feedback:
     
    "You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain your entries (master DNS server), or use it to refer to an outside source (slave DNS server)." ...Answered the question but I had to hear it from them.
     
    Basically, if you want to enter in ALL your DNS entries manually then it can be your local DNS server which is no good if you have DHCP clients in a subnet or vlan with DHCP turned on. However, because the FortiGate is still considered a FIREWALL (though it is basically a router) and thus does not have an internal auto DNS population database functionality. Therefore, you will still need an Windows / Linux DNS server.

    Honestly, I think this is a huge off-set and a complete miss on FN's part. With so much power and dedicated resources combined with a superior GUI/CLI, I cannot understand why the drew the line at this having an internal DNS server that has the capability to create A records on its own. Even the small fries like SonicWally, EdgeRouter (Ubiquiti), Netgear and Linksys can accomplish this.

    Anyways, I am considering the subject closed and sadly resolved.
    #3
    sw2090
    Expert Member
    • Total Posts : 783
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Fortigate as DNS server 2020/10/11 23:45:31 (permalink)
    0
    hm Fortigate does have both DNS forwarder and DNS Database. So what you want should be possible.
    You can even populate a specific DNS via FGT DHCP Server on an interface. It just needs to be reachable from there of course to make sense ;)
     
    Beware: that is not a good idea if you run an AD. In AD DNS should be on the DC always!
    #4
    lobstercreed
    Platinum Member
    • Total Posts : 315
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Fortigate as DNS server 2020/10/12 04:37:00 (permalink)
    0
    Your initial post didn't say anything about dynamic population of the database, just resolving internal clients.  THAT the FortiGate can definitely do.
     
    TheUsD
     
     
    Honestly, I think this is a huge off-set and a complete miss on FN's part. With so much power and dedicated resources combined with a superior GUI/CLI, I cannot understand why the drew the line at this having an internal DNS server that has the capability to create A records on its own. Even the small fries like SonicWally, EdgeRouter (Ubiquiti), Netgear and Linksys can accomplish this.



    I'm actually really surprised that those other products are accomplishing that for you.  As far as I knew you pretty much have to have AD (where clients register themselves in DNS) to get the functionality you're looking for.  So I would be more "impressed" I guess that those others can do it than disappointed that Fortinet can't.  The product really isn't meant for that.
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5