internal host resolution for firewall services

pchonacky · ‎10-12-2023

I have a Fortigate for a customer where the appliance DNS is configured to external servers and a DNS Database pointing to the internal domain servers

The problem I'm running into is I want to point the firewall LDAP to an internal server using its hostname (not IP), but the firewall's internal DNS resolution seems to bypass the DNS database, so it can't resolve the internal names correctly. (i.e. hostname.domain.internal fails to resolve) [not the real domain]

Is there a way around this that doesn't involve pointing DNS directly to the internal servers? I want to be able to keep using the firewall as a DNS Proxy to external server in case internal DNS is down

THanks in advance for you replies

bpozdena_FTNT · ‎10-13-2023

Hi @pchonacky ,

you should configure your Fortigate to you internal DNS servers.

Alternatively, you can play around setting your internal DNS serves as alternative ones, which will be used when a particular domain name is not found on public DNS servers. More details at: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...

HTH,
Boris

View solution in original post

bpozdena_FTNT · ‎10-13-2023

Hi @pchonacky ,

you should configure your Fortigate to you internal DNS servers.

Alternatively, you can play around setting your internal DNS serves as alternative ones, which will be used when a particular domain name is not found on public DNS servers. More details at: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...

HTH,
Boris

pchonacky · ‎10-13-2023

Thanks,

I was able to resolve the internal hosts by using the alt-... entries.

I also had to enable cleartext (udp/53) protocol as the internal DNS server don't do secure DNS (Microsoft). I just need to make sure that the internal hosts I need to resolve don't match the external hostnames since the internal domain and the public domain are the same.

/P

hbac · ‎10-13-2023

Hi @pchonacky,

DNS database should work. I tested in my lab and it worked. I'm using FortiGuard DNS servers.

Regard,

pchonacky · ‎10-13-2023

Hi hbac,

What you have there appears to be static entries. I'm trying to resolve the internal hosts by forwarding to the internal DNS servers

Config snippets below with sensitive details redacted

config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol dot
    set server-hostname "globalsdns.fortinet.net"
    set domain xx.xxxxxxx.org"
end

config system dns-server
    edit "port10"
    next
    edit "SCHOOL"
    next
end

config system dns-database
    edit " xx.xxxxxxx.org "
        set domain " xx.xxxxxxx.org"
        set view public
        set forwarder "x.x.x.16" "x.x.x.250"
    next
end

Testing:

xxxxxxxxxxFG400E-Primary # execute ping-options interface port10

xxxxxxxxxxFG400E-Primary # execute ping x.x.x.16
PING x.x.x.16 (x.x.x.16): 56 data bytes
64 bytes from x.x.x.16: icmp_seq=0 ttl=128 time=0.2 ms
64 bytes from x.x.x.16: icmp_seq=1 ttl=128 time=0.1 ms
64 bytes from x.x.x.16: icmp_seq=2 ttl=128 time=0.1 ms
64 bytes from x.x.x.16: icmp_seq=3 ttl=128 time=0.1 ms
64 bytes from x.x.x.16: icmp_seq=4 ttl=128 time=0.1 ms

--- x.x.x.16 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

xxxxxxxxxxFG400E-Primary # execute ping xxxxx.xx.xxxxxx.org
Unable to resolve hostname.

xxxxxxxxxxFG400E-Primary #