Description
This article describes how to set up a FortiGate as a DNS Conditional Forwarder.
Solution
If there is a need to forward a particular DNS request to a local DNS server for example, FortiGate offers a conditional forwarding feature.
Note:
Make sure that the local DNS server has the valid DNS records. Also, use the IP address of the 'port4' (the interface which is close to the client) as a DNS server IP address on the DNS client.
config system dns <- FortiGate configured with the external DNS servers.
set primary 1.1.1.1
set secondary 208.91.112.52
set domain "iba.local"
end
Enable The DNS Database from System -> Feature Visibility and enable DNS Database. Once enabled, it will be possible to configure the DNS Database in the GUI.
config system dns-database
edit "dc1.iba.local"
set domain "dc1.iba.local" <- A local domain name which is planned to be forwarded to the internal DNS server.
set authoritative disable
set forwarder "172.16.190.216" <- Internal DNS server.
next
end
config system dns-server <- Interface listening for DNS requests.
edit "port4"
set mode recursive
next
end
Note: If the DNS server is over a VPN, a source IP may need to be specified for the FortiGate to reach the DNS server.
This can be done with the following commands:
config system dns-database
edit "test_dns_zone"
set source-ip 192.168.2.99
next
end
The DNS forwarding can be verified by running the following sniffer commands.
Note:
In the following example, a DNS request was sent to 172.16.191.1 (the IP address of the interface that is listening for DNS requests) for dc1.iba.local from a DNS client 172.16.191.210. After, it was forwarded to the local DNS server (172.16.190.219), which is the expected result.
diagnose sniffer packet any '(port 53 and host 172.16.191.210) or (port 53 and host 172.16.190.216)' 6 0 a interfaces=[any]
filters=[(port 53 and host 172.16.191.210) or (port 53 and host 172.16.190.216)]
2019-09-09 14:59:39.712277 port4 in 172.16.191.210.54337 -> 172.16.191.1.53: udp 31
0x0000 0000 0000 0001 0050 5004 6802 0800 4500 .......PP.h...E.
0x0010 003b 21e2 0000 8011 41db ac10 bfd2 ac10 .;!.....A.......
0x0020 bf01 d441 0035 0027 8d38 215f 0100 0001 ...A.5.'.8!_....
0x0030 0000 0000 0000 0364 6331 0369 6261 056c .......dc1.iba.l
0x0040 6f63 616c 0000 0100 01 ocal.....
2019-09-09 14:59:39.712577 port3 out 172.16.190.1.1717 -> 172.16.190.216.53: udp 31
0x0000 0000 0000 0000 0050 5013 6303 0800 4500 .......PP.c...E.
0x0010 003b 5c55 4000 4011 0962 ac10 be01 ac10 .;\U@.@..b......
0x0020 bed8 06b5 0035 0027 5cbf 215f 0100 0001 .....5.'\.!_....
0x0030 0000 0000 0000 0364 6331 0369 6261 056c .......dc1.iba.l
0x0040 6f63 616c 0000 0100 01 ocal.....
2019-09-09 14:59:39.713159 port3 in 172.16.190.216.53 -> 172.16.190.1.1717: udp 47
0x0000 0000 0000 0001 0050 5010 6801 0800 4500 .......PP.h...E.
0x0010 004b 1adb 0000 8011 4acc ac10 bed8 ac10 .K......J.......
0x0020 be01 0035 06b5 0037 cbe4 215f 8580 0001 ...5...7..!_....
0x0030 0001 0000 0000 0364 6331 0369 6261 056c .......dc1.iba.l
0x0040 6f63 616c 0000 0100 01c0 0c00 0100 0100 ocal............
0x0050 000e 1000 04ac 10be d8 .........
2019-09-09 14:59:39.713232 port4 out 172.16.191.1.53 -> 172.16.191.210.54337: udp 47
0x0000 0000 0000 0000 0050 5013 6304 0800 4500 .......PP.c...E.
0x0010 004b 5c55 4000 4011 0758 ac10 bf01 ac10 .K\U@.@..X......
0x0020 bfd2 0035 d441 0037 fc5d 215f 8580 0001 ...5.A.7.]!_....
0x0030 0001 0000 0000 0364 6331 0369 6261 056c .......dc1.iba.l
0x0040 6f63 616c 0000 0100 01c0 0c00 0100 0100 ocal............
0x0050 000e 1000 04ac 10be d8 .........
However, in cases where connection is made to the other internal/external web resources, the DNS queries will be forwarded to the external DNS servers which are configured on the FortiGate:
diagnose sniffer packet any 'udp and port 53' 6 0 0 a
9.131101 port4 in 172.16.191.210.62976 -> 172.16.191.1.53: udp 28
0x0000 0000 0000 0001 0050 5004 6802 0800 4500 .......PP.h...E.
0x0010 0038 1baf 0000 8011 4811 ac10 bfd2 ac10 .8......H.......
0x0020 bf01 f600 0035 0024 1258 74ed 0100 0001 .....5.$.Xt.....
0x0030 0000 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k
0x0040 7a00 0001 0001 z.....
9.131373 port1 out 10.109.19.83.4128 -> 1.1.1.1.53: udp 28
0x0000 0000 0000 0000 0050 5013 6301 0800 4500 .......PP.c...E.
0x0010 0038 3ee5 4000 4011 dc0e 0a6d 1353 0101 .8>.@.@....m.S..
0x0020 0101 1020 0035 0024 af6c 74ed 0100 0001 .....5.$.lt.....
0x0030 0000 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k
0x0040 7a00 0001 0001 z.....
9.158692 port4 in 172.16.191.210.62976 -> 172.16.191.1.53: udp 28
0x0000 0000 0000 0001 0050 5004 6802 0800 4500 .......PP.h...E.
0x0010 0038 1bb0 0000 8011 4810 ac10 bfd2 ac10 .8......H.......
0x0020 bf01 f600 0035 0024 1258 74ed 0100 0001 .....5.$.Xt.....
0x0030 0000 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k
0x0040 7a00 0001 0001 z.....
9.188096 port1 in 1.1.1.1.53 -> 10.109.19.83.4128: udp 44
0x0000 0000 0000 0001 0009 0f09 c723 0800 4500 ...........#..E.
0x0010 0048 3f9a 4000 3a11 e149 0101 0101 0a6d .H?.@.:..I.....m
0x0020 1353 0035 1020 0034 9f97 74ed 8180 0001 .S.5...4..t.....
0x0030 0001 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k
0x0040 7a00 0001 0001 c00c 0001 0001 0000 0e10 z...............
0x0050 0004 b962 07ae ...b..
9.188197 port4 out 172.16.191.1.53 -> 172.16.191.210.62976: udp 44
0x0000 0000 0000 0000 0050 5013 6304 0800 4500 .......PP.c...E.
0x0010 0048 44e5 4000 4011 1ecb ac10 bf01 ac10 .HD.@.@.........
0x0020 bfd2 0035 f600 0034 0283 74ed 8180 0001 ...5...4..t.....
0x0030 0001 0000 0000 0766 6374 6172 617a 026b .......fctaraz.k
0x0040 7a00 0001 0001 c00c 0001 0001 0000 0e10 z...............
0x0050 0004 b962 07ae ...b..
Related article:
Technical Tip: FortiGate DNS forwarder retry and timeout values
Technical Tip: FortiGate DNS forwarder retry and timeout values
