It is possible to setup your FortiGate device so that requests towards specific domains are forwarded to a Windows DNS server. Below are the steps needed to get this working.
On the Windows Master DNS Server
- Open DNS Manager and open the zone needed
- Find the Start of Authority (SOA) record
- Properties > Zone Transfers
- Allow Zone Transfers > To Any Server (you can also specify the server)
- Open ‘Notify’ and add in the Slave DNS IP address (the IP your FortiGate will be seen as to the Master DNS)
On the FortiGate Slave
Enable the DNS Database feature (System > Config > Features)
Go to System > Network > DNS Servers and Create a new DNS Database.
- Type: Slave
- View: Shadow
- DNS Zone:<dns_zone>
- Domain Name:<dns_zone.local>
- IP of Master:
- Authoritative: Enable/Disable
You will then to add an SRV record, as well as identify the source IP address if your Master DNS is over VPN;
- Connect to FortiGate CLI
- Add SRV record
config system dns-database
edit "<dns_zone>"
set forwarder "<IP of Master DNS>"
next
end
- Specify source IP
config system dns-database
edit "<dns_zone>"
set source-ip "<IP of FortiGate>"
next
end
Add the DNS service to the Interface
- Go to System > Network > DNS Servers and Create a new DNS Service.
- Interface:
<Interface users will connect to>
- Mode: Recursive
Testing
You can test the new DNS service works by running a ping through your FortiGate CLI
execute ping-options source <interface IP address>
execute ping <FQDN of a server in the new DNS zone>
Potential Issues
The interface your users connect to may be set to use the “Same as System DNS”. If you use external DNS servers this means your users will not benefit from the changes we have just made.
To fix this change the interface settings to be “Same as Interface IP”, this now means users will get the Interface IP as their DNS server, and will benefit from all DNS Database changes we make on the FortiGate