|
FortiGate can be used as a DNS Server on the network. It will listen for DNS queries on specific interfaces where the service has been enabled.
The DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or Forward to System DNS (server), but these modes are related to choosing what type of local database the FortiGate will use instead of an iterative resolution.
The FortiGate 'Recursive' or 'Non-Recursive' mode of operation should not be confused with the concept of recursive DNS resolution.
In DNS concepts, a name resolution is the process by which a DNS server resolves an FQDN to an IP address. This process of DNS lookup can be performed in two ways 'Recursive' and 'Iterative'.
Usually, the 'Recursive' query happens between the client and its Local DNS Server (also known as DNS Recursive, DNS Resolvers, or Caching nameservers), and the 'Iterative' DNS lookup happens between the Local DNS Server and other DNS (DNS root server, DNS TLD server, DNS authoritative server).
FortiGate as a DNS server will operate as a DNS proxy instead of a full-featured DNS server. In particular, FortiGate does not support so-called recursive resolution. Instead, FortiGate expects the upstream DNS servers configured in system.dns to do recursive resolution.
config system dns
set primary 96.45.45.45 <- These should be DNS server to support recursive resolution.
set secondary 96.45.46.46 <-
end
The DNS server currently supports 3 modes:
config system dns-server
edit "lan"
set mode recursive
next
edit "wan"
set mode non-recursive
next
edit "dmz"
set mode forward-only
next
end
The mode of the DNS server is used to determine how it looks up the local DNS database and if it will be forwarded to upstream DNS servers when it receives a DNS request from that particular interface. Two types of DNS databases are currently supported (shadow or public).
config system dns-database
edit "1"
set domain "test.com"
set view shadow <-
config dns-entry
edit 1
set hostname "www"
set ip 192.168.1.1
next
end
next
edit "2"
set domain "test.com"
set view public <-
config dns-entry
edit 1
set hostname "www"
set ip 1.1.1.1
next
end
next
end
Consider an example scenario where a user is trying to resolve http://www.test.com. First, it is important to check all 3 modes.
- If the request is from a DMZ interface (dns-server mode is forward-only), it will not look up the local database. The request is directly forwarded to the upstream DNS server.
- If the request is from a LAN interface (dns-server mode is recursive), it will look up the shadow database, meaning it will resolve to 192.168.1.1. But if the request does not match any dns-entry in test.com (for example, a query for server.test.com) or any shadow database, the request will be forwarded to the upstream DNS server.
- If the request is from a WAN interface (dns-server mode is non-recursive), it will only look up the public database, so it will resolve to 1.1.1.1. But if the request does not match any dns-entry in test.com (for example, a query for server.test.com) or any public database, the resolution will fail. In other words, the request will not be forwarded to an upstream recursive server for non-recursive mode.
Misconception:
The DNS server configured into the system.dns must not be an Iterative DNS Server, i.e. a Root DNS server. Since the FortiGate will not perform Recursive query, the FortiGate will only proxy the response from the Root Server without having a valid DNS lookup.
config system dns
set primary 198.41.0.4 <- A.ROOT-SERVERS.NET.
end
For example, in a case where a PC sending a DNS lookup to FortiGate DNS server listens on IP 192.168.10.254, the DNS response will get the Root DNS server since it will respond with an iterative resolution:
dig www.fortinet.com @192.168.10.254
; <<>> DiG 9.10.3-P4-Debian <<>> www.fortinet.com @192.168.10.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38219
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.fortinet.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
;; ADDITIONAL SECTION:
e.gtld-servers.net. 172800 IN A 192.12.94.30
e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30
b.gtld-servers.net. 172800 IN A 192.33.14.30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
j.gtld-servers.net. 172800 IN A 192.48.79.30
j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30
m.gtld-servers.net. 172800 IN A 192.55.83.30
m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30
i.gtld-servers.net. 172800 IN A 192.43.172.30
i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30
f.gtld-servers.net. 172800 IN A 192.35.51.30
f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30
a.gtld-servers.net. 172800 IN A 192.5.6.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
g.gtld-servers.net. 172800 IN A 192.42.93.30
g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30
h.gtld-servers.net. 172800 IN A 192.54.112.30
h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30
l.gtld-servers.net. 172800 IN A 192.41.162.30
l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30
k.gtld-servers.net. 172800 IN A 192.52.178.30
k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30
c.gtld-servers.net. 172800 IN A 192.26.92.30
c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 172800 IN A 192.31.80.30
d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30
;; Query time: 66 msec
;; SERVER: 192.168.10.254#53(192.168.10.254)
;; WHEN: Wed Oct 18 05:23:44 UTC 2023
;; MSG SIZE rcvd: 841
|
