FortiGate as DNS Server or DNS Proxy
Problem
Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server.
For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here.
Solution
A detail documentation about the DNS Server functionality is in the offical documentation: Fortinet Doc
In this post I would like to clearly present the most important functions and configuration types of the DNS function.
DNS-Server
In the following example the FortiGate act as DNS Server:
Enable DNS Feature
Enable the DNS Feature in the GUI:
CLI command:
config system settings
set gui-dns-database enable
end
Configure DNS Server
Enable the DNS Feature on the interface on which DNS requests should be answered:
- Select Network
- Select DNS Servers
- Select the listen Interface
- Select the DNS Server Mode (see delecration below)
The same on the CLI:
config system dns-server
edit DMZ2
set mode recursive
set dnsfilter-profile "dns-dmz2"
next
end
- DMZ2: listen Interface
- mode: select the DNS Server mode (see delecration below)
- dnsfilter-profile: if you would like you can define a dnsfilter-profile, which is defined in the Security Profile
DNS Server Modes
Recursive
The FortiGate DNS Server responde to DNS requests, check all shadow zones, if the request cannot be resolved internally forward the request to the system DNS servers.
Non-recursive
The FortiGate DNS Server responde to DNS requests, check all internal zones. If the reuqest cannot be resolved internally, the reuqest will NOT forwarded!
In short: only internal DNS zones will be resolvable.
Forward to System DNS
The request will be forward directly to the system DNS Servers.
DNS-Database
After we defined the interface configuration, we need internal DNS entries.
config system dns-database
edit "internal.int"
set domain "internal.int"
set type master
set view public
set ttl 86400
set source-ip 0.0.0.0
config dns-entry
edit 1
set type A
set hostname "server"
set ip 172.16.51.12
next
end
next
end
- internal.int: Define the Zone Name
- domain: Define the domain-name
- view: Set the view mode (see below)
- dns-entry: define the DNS entries
- ttl: Time to life setting for DNS entries
- source-ip: With which source IP address the DNS requests should be answered
Zone types
master
The FortiGates has the master zone and you can edit entries directly on the FortiGate.
slave
The DNS entries will be imported from the master. Define it with the CLI Option ip-master.
Database view option
A DNS-Zone can has the following view settings:
public
Zone is available for external clients.
shadow
Zone is only available for direct attached clients.
DNS Proxy
Security Profile and Firewall Policy
The first option is to create a DNS filter profile and attach it to a firewall policy. In this case, all DNS requests passing through this firewall policy will be processed according to the DNS filter profile.
"Real" DNS-Proxy
In this scenario, the FortiGate unit is entered as "Forwarder" on the internal DNS server (and only the FortiGate unit). On the FortiGate unit, the DNS server is configured in "Forward to System DNS" or "Recusive" on the corresponding interface. Optionally, a DNS filter profile can be configured on the interface. This way, all queries from the internal network are sent to the FortiGate unit and only the FortiGate unit can perform DNS queries to the Internet. This allows the security team to ensure that the FortiGate unit only uses trusted DNS servers.
It is recommended to create a deny policy for all outgoing DNS queries.
Comments
Post a Comment