FortiGate as Slave DNS with Windows DNS Master

It is possible to setup your FortiGate device so that requests towards specific domains are forwarded to a Windows DNS server. Below are the steps needed to get this working.

On the Windows Master DNS Server

  • Open DNS Manager and open the zone needed
  • Find the Start of Authority (SOA) record
  • Properties > Zone Transfers
  • Allow Zone Transfers > To Any Server (you can also specify the server)
  • Open ‘Notify’ and add in the Slave DNS IP address (the IP your FortiGate will be seen as to the Master DNS)

On the FortiGate Slave

  • Enable the DNS Database feature (System > Config > Features)
  • Go to System > Network > DNS Servers and Create a new DNS Database.
    • Type: Slave
    • View: Shadow
    • DNS Zone: <dns_zone>
    • Domain Name: <dns_zone.local>
    • IP of Master:
    • Authoritative: Enable/Disable

You will then to add an SRV record, as well as identify the source IP address if your Master DNS is over VPN;

  • Connect to FortiGate CLI
  • Add SRV record
config system dns-database
edit "<dns_zone>"
set forwarder "<IP of Master DNS>"
next
end
  • Specify source IP
config system dns-database
edit "<dns_zone>"
set source-ip "<IP of FortiGate>"
next
end
 

Add the DNS service to the Interface

  • Go to System > Network > DNS Servers and Create a new DNS Service.
  • Interface: <Interface users will connect to>
  • Mode: Recursive

Testing

You can test the new DNS service works by running a ping through your FortiGate CLI

execute ping-options source <interface IP address>
execute ping <FQDN of a server in the new DNS zone>

Potential Issues

The interface your users connect to may be set to use the “Same as System DNS”. If you use external DNS servers this means your users will not benefit from the changes we have just made.

To fix this change the interface settings to be “Same as Interface IP”, this now means users will get the Interface IP as their DNS server, and will benefit from all DNS Database changes we make on the FortiGate

FortiGate – Change Switch Mode

Out of the box, your FortiGate device will most likely be in Switch mode, this groups the internal interfaces in to a single switch. To change to Interface mode, follow the below steps.

Interface mode allows you to control all of the interfaces separately. To change modes make sure none of the interfaces (lan/internal) are referenced

 

Enter Interface Mode

config system global
set internal-switch-mode interface
end

Enter Switch Mode:

config system global
set internal-switch-mode switch
end