Description
This article explains how to configure DNS zone transfer over IPsec.
Scope
All FortiGates.
Solution
DNS Master configuration
In this example IPsec is in Interface-mode (virtual interface created) named "to_600C" while internal network is on port15. Remote phase1 is named "to_200D" and remote internal network is on port6. It is assumed that IPsec is working correctly, and DNS zone transfer now needs to be implemented:
The DNS service must be enabled on IPsec and internal interfaces and Recursive mode:
Create new DNS Database (in this example DNS zone "fortinet"):
Edit "fortinet":
Adding DNS entries:
CLI configuration:
Enabling DNS service on IPsec and local interface and Recursive mode:
Creating the DNS zone:
IPsec policies should include DNS service. Either service "ALL" is selected or "DNS" among the rest of the services.
CLI configuration:
Testing connection
Client on DNS Master side:
Client on DNS Slave side:
Sniffer on DNS Master when executing from client 10.30.0.172 nslookup facebook.com:
Sniffer on DNS Slave when executing from client 10.30.0.172 nslookup facebook.com:
It should be noted that the lowest index on 600C is on port5 which is not the LAN port, but traffic is going correctly inside the tunnel as per sniffer output:
In this example IPsec is in Interface-mode (virtual interface created) named "to_600C" while internal network is on port15. Remote phase1 is named "to_200D" and remote internal network is on port6. It is assumed that IPsec is working correctly, and DNS zone transfer now needs to be implemented:
The DNS service must be enabled on IPsec and internal interfaces and Recursive mode:
Create new DNS Database (in this example DNS zone "fortinet"):
Edit "fortinet":
Adding DNS entries:
CLI configuration:
FG200P3911600224 (dns-database) # sh full-configurationDNS Slave configuration
config system dns-database
edit "fortinet"
set authoritative enable
config dns-entry
edit 1
set hostname "facebook.com"
set status enable
set ttl 60
set type A
set ip 173.252.120.6
next
edit 2
set hostname "www.facebook.com"
set status enable
set ttl 0
set type NS
next
edit 3
set hostname "apps"
set status enable
set ttl 0
set type CNAME
set canonical-name "facebook.com"
next
end
set domain "facebook.com"
unset forwarder
set source-ip 0.0.0.0
set status enable
set ttl 86400
set type master
set view shadow
set allow-transfer "10.30.1.104"
set contact "test@fortinet.com"
set primary-name "master"
next
end
FG200P3911600224 (dns-database) #
Enabling DNS service on IPsec and local interface and Recursive mode:
Creating the DNS zone:
IPsec policies should include DNS service. Either service "ALL" is selected or "DNS" among the rest of the services.
CLI configuration:
FG600C3913802263 # conf sys dns-database
FG600C3913802263 (dns-database) # edit fortinet
FG600C3913802263 (fortinet) # sh full-configuration
config system dns-database
edit "fortinet"
set status enable
set domain "facebook.com"
set type slave
set view shadow
set authoritative disable
unset forwarder
set source-ip 0.0.0.0
set ip-master 10.23.1.36
next
end
FG600C3913802263 (fortinet) #
Testing connection
Client on DNS Master side:
Client on DNS Slave side:
Sniffer on DNS Master when executing from client 10.30.0.172 nslookup facebook.com:
FG200P3911600224 # diag sniffer packet any "port 53" 4 0
interfaces=[any]
filters=[port 53]
9.132808 to_600C in 10.30.0.172.58881 -> 10.23.1.36.53: udp 41
9.315714 to_600C out 10.23.1.36.53 -> 10.30.0.172.58881: udp 118
9.318823 to_600C in 10.30.0.172.58882 -> 10.23.1.36.53: udp 30
9.318989 to_600C out 10.23.1.36.53 -> 10.30.0.172.58882: udp 64
9.320293 to_600C in 10.30.0.172.58883 -> 10.23.1.36.53: udp 30
9.320434 to_600C out 10.23.1.36.53 -> 10.30.0.172.58883: udp 91
Sniffer on DNS Slave when executing from client 10.30.0.172 nslookup facebook.com:
FG600C3913802263 # diag sniffer packet any "port 53 and host 10.23.1.36" 4 0
interfaces=[any]
filters=[port 53 and host 10.23.1.36]
2.683511 to_200D out 1.1.1.2.31370 -> 10.23.1.36.53: udp 34
5.278740 port6 in 10.30.0.172.60952 -> 10.23.1.36.53: udp 41
5.278773 to_200D out 10.30.0.172.60952 -> 10.23.1.36.53: udp 41
7.280961 port6 in 10.30.0.172.60953 -> 10.23.1.36.53: udp 30
7.280975 to_200D out 10.30.0.172.60953 -> 10.23.1.36.53: udp 30
It should be noted that the lowest index on 600C is on port5 which is not the LAN port, but traffic is going correctly inside the tunnel as per sniffer output:
FG600C3913802263 # diag ip address list
IP=10.50.1.1->10.50.1.1/255.255.255.0 index=11 devname=port5
IP=10.30.1.104->10.30.1.104/255.255.252.0 index=12 devname=port6
