FortiGate as DNS Server or DNS Proxy

 Problem

Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server.
For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here.

Solution

A detail documentation about the DNS Server functionality is in the offical documentation: Fortinet Doc
In this post I would like to clearly present the most important functions and configuration types of the DNS function.

DNS-Server

In the following example the FortiGate act as DNS Server:

Enable DNS Feature

Enable the DNS Feature in the GUI:

CLI command:
config system settings
    set gui-dns-database enable
end

Configure DNS Server

Enable the DNS Feature on the interface on which DNS requests should be answered:
  1. Select Network
  2. Select DNS Servers
  3. Select the listen Interface
  4. Select the DNS Server Mode (see delecration below)
The same on the CLI:
config system dns-server
    edit DMZ2
        set mode recursive
        set dnsfilter-profile "dns-dmz2"
    next
end
  • DMZ2: listen Interface
  • mode: select the DNS Server mode (see delecration below)
  • dnsfilter-profile: if you would like you can define a dnsfilter-profile, which is defined in the Security Profile

DNS Server Modes

Recursive
The FortiGate DNS Server responde to DNS requests, check all shadow zones, if the request cannot be resolved internally forward the request to the system DNS servers.

Non-recursive
The FortiGate DNS Server responde to DNS requests, check all internal zones. If the reuqest cannot be resolved internally, the reuqest will NOT forwarded!
In short: only internal DNS zones will be resolvable.

Forward to System DNS
The request will be forward directly to the system DNS Servers.

DNS-Database

After we defined the interface configuration, we need internal DNS entries.

To do the same in the CLI:
config system dns-database
    edit "internal.int"
        set domain "internal.int"
        set type master
        set view public
        set ttl 86400
        set source-ip 0.0.0.0
        config dns-entry
            edit 1
                set type A
                set hostname "server"
                set ip 172.16.51.12
            next
        end
    next
end
  • internal.int: Define the Zone Name
  • domain: Define the domain-name
  • view: Set the view mode (see below)
  • dns-entry: define the DNS entries
  • ttl: Time to life setting for DNS entries
  • source-ip: With which source IP address the DNS requests should be answered

Zone types

master
The FortiGates has the master zone and you can edit entries directly on the FortiGate.

slave
The DNS entries will be imported from the master. Define it with the CLI Option ip-master.

Database view option

A DNS-Zone can has the following view settings:

public
Zone is available for external clients.

shadow
Zone is only available for direct attached clients.

DNS Proxy

Security Profile and Firewall Policy

The first option is to create a DNS filter profile and attach it to a firewall policy. In this case, all DNS requests passing through this firewall policy will be processed according to the DNS filter profile.




"Real" DNS-Proxy

In this scenario, the FortiGate unit is entered as "Forwarder" on the internal DNS server (and only the FortiGate unit). On the FortiGate unit, the DNS server is configured in "Forward to System DNS" or "Recusive" on the corresponding interface. Optionally, a DNS filter profile can be configured on the interface. This way, all queries from the internal network are sent to the FortiGate unit and only the FortiGate unit can perform DNS queries to the Internet. This allows the security team to ensure that the FortiGate unit only uses trusted DNS servers.

It is recommended to create a deny policy for all outgoing DNS queries.

Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiMail - Server Basic Configuration

Image
 Problem Nowhere is it written exactly how FortiMail must be configured in Server Mode to run a secure Basic Mail Server. Here is a summary of most of the settings: Solution System Network Configure your Interfaces Be sure that you have configured an default Gateway Port Forwarding FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information:  FortiMail Doc FortiGate The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information:  FortiDoc Configuration Set the correct Time Zone Configure your Password Policy Change the Admin Ports  to non default ports If you need configure the SNMP settings Mail Settings Set the Hostname  and the Local domain name . Togther there are the FQDN of the FortiMail. Activate the SMTP MA service  (use other ports for mail submiting by clients as mail transfer to other Mail servers.  Relay Host If you run the FortiMail behind another Mailserver which acts a
Read more