Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Transparent conditional DNS forwarder

Transparent conditional DNS forwarder

The transparent conditional DNS forwarder allows the FortiGate to intercept and reroute DNS queries for specific domains to a specific DNS server. For example, when a client’s DNS is located in a distant location, in order to resolve destination addresses (such as SaaS applications) to the closest application server, the FortiGate can intercept and reroute the requests to a local DNS to resolve.

This is done by parsing entries and creating a list of filters based on the domain names of zones. When a DNS request matches one of these filters, the DNS proxy will retrieve the zone's data. The DNS request will then be handled based on the zone's forwarder settings and whether a local answer is available. It may be forwarded to the original destination address, the forwarder address, or not forwarded at all if a local answer is available.

This provides greater control over DNS requests, especially when the administrator is not managing the DNS server configuration of the client devices. This can improve network efficiency and performance by resolving IPs local to the client's PCs rather than IPs local to the central DNS server.

Example

In this example, FortiGates at various locations are connected to a central site by VPN tunnels where the corporate DNS server is located. Typically, DNS queries from different sites are sent to the central DNS server and resolved to an IP local to the central site, which might cause latency and performance issues for certain destinations, such as SaaS applications.

The Local Site FortiGate is configured with the Microsoft domain and a local DNS entry. Traffic matching the Microsoft domain is either forwarded to the local DNS server or resolved by the FortiGate, which resolves it to an IP local to the Local Site, thus improving performance.

This example assumes the following have been configured:

  • A successfully operational site-to-site VPN between the Local Site and the Central Site FortiGates (see Site-to-site VPN for more information).

  • Appropriate routing and network interfaces.

  • The client PCs are configured to use the Central DNS Server.

Note

The transparent conditional DNS forwarder feature only works with a proxy-based firewall policy.
Note

By default, DNS server options are not available in the GUI.
To enable DNS server options in the GUI:

  1. Go to System > Feature Visibility.

  2. In the Additional Features section, enable DNS Database.

  3. Click Apply.

To configure the DNS zone and local DNS entries on the Local Site FortiGate in the GUI:

  1. Go to Network > DNS Servers.

  2. In the DNS Database table, click Create New.

  3. Enter a DNS Zone name (SaaS_applications).

  4. Enter a Domain Name (microsoft.com).

  5. Disable the Authoritative setting.

  6. In the DNS Forwarder field, click the + and enter the DNS Forwarder address (172.16.200.3).

  7. Configure the DNS entry:

    1. In the DNS Entries table, click Create New.

    2. Set the Type to Address (A).

    3. Enter a Hostname (office).

    4. Configure the remaining settings as needed. The options vary depending on the selected Type.

    5. Click OK.

    6. Optionally, add more DNS entries if needed.

  8. In the CLI, configure the source IP:

    config system dns-database
    edit "SaaS_applications"
        set source-ip 13.13.13.2
    next
end

    Note

    If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiGate to reach the DNS server. See How to let the FortiGate access internal DNS through site-to-site IPsec VPN for more information.

    Site-to-site VPN is not a mandatory requirement for this feature to work and is only applicable to this example.
To configure the DNS zone and local DNS entries on the Local Site FortiGate in the CLI:
config system dns-database
    edit "SaaS_applications"
        set domain "microsoft.com"
        set authoritative disable
        set forwarder "172.16.200.3" 
        set source-ip 13.13.13.2
        config dns-entry
            edit 1
                set hostname "office"
                set ip 172.16.200.55
            next
        end
    next
end
To add the DNS database to a DNS filter profile:
config dnsfilter profile
    edit "SaaS"
        set transparent-dns-database "SaaS_applications"
    next
end
Note

Multiple DNS databases can be selected for transparent-dns-database.

After selecting a DNS database, users are not permitted to modify the domain name of the zone. Before making any changes to the domain name, remove the reference from the dnsfilter profile.
To apply the DNS filter profile in a firewall policy in the GUI:

  1. Go to Policy & Objects > Firewall Policy and edit the outbound policy towards the IPsec VPN tunnel.

  2. Set the Inspection Mode to Proxy-based.

  3. In the Security Profiles section, enable DNS Filter and select the profile created in the previous procedure (SaaS).

  4. In the Logging Options section, enable Log Allowed Traffic.

  5. Configure the remaining settings as needed.

  6. Click OK.

To apply the DNS filter profile to the outbound policy towards the IPsec VPN tunnel in the CLI:
config firewall policy
    edit 1
        set name "outbound_VPN"
        ...
        set inspection-mode proxy
        set dnsfilter-profile "SaaS"
        set logtraffic enable
        ...
    next
end
To verify the configuration:

From one of the Windows client desktops, use the nslookup command to send various DNS queries.

  1. Send a DNS query for a DNS entry configured locally on the Local Site FortiGate:

    C:\Users\demo>nslookup office.microsoft.com
Server:  Unknown
Address:  192.168.16.254
Non-authoritative answer:
Name:     osiprod-wus-pineapple-100.westus.cloudapp.azure.com 
Address:  172.16.200.55

    The query is resolved to the IP address configured on the Local Site FortiGate.

  2. Send a DNS query for the domain configured on the Local Site FortiGate:

    C:\Users\demo>nslookup teams.microsoft.com
Server:  Unknown
Address:  192.168.16.254
Non-authoritative answer:
Name:     s-0005.s-msedge.net
Address:  172.16.200.254

    The query is resolved by the local DNS server.

  3. Send a DNS query for a domain that is not configured on the Local Site FortiGate:

    C:\Users\demo>nslookup facebook.com
Server:  Unknown
Address:  192.168.16.254
Non-authoritative answer:
Name:    facebook.com
Addresses:  157.240.249.35

    The query is resolved by the central DNS server.

IPv6 support for conditional DNS forwarder

The configuration for IPv6 is similar to an IPv4 conditional DNS forwarder. When configuring the DNS forwarder address, the IPv6 address must be specified.

To configure a DNS forwarder:
config system dns-database
    edit <name>
        set source-ip6 <IPv6_address>
        set forwarder6 <IPv6_address>
    next
end

Note

If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiGate to reach the DNS server. See How to let the FortiGate access internal DNS through site-to-site IPsec VPN for more information.
Previous
Next

Transparent conditional DNS forwarder

The transparent conditional DNS forwarder allows the FortiGate to intercept and reroute DNS queries for specific domains to a specific DNS server. For example, when a client’s DNS is located in a distant location, in order to resolve destination addresses (such as SaaS applications) to the closest application server, the FortiGate can intercept and reroute the requests to a local DNS to resolve.

This is done by parsing entries and creating a list of filters based on the domain names of zones. When a DNS request matches one of these filters, the DNS proxy will retrieve the zone's data. The DNS request will then be handled based on the zone's forwarder settings and whether a local answer is available. It may be forwarded to the original destination address, the forwarder address, or not forwarded at all if a local answer is available.

This provides greater control over DNS requests, especially when the administrator is not managing the DNS server configuration of the client devices. This can improve network efficiency and performance by resolving IPs local to the client's PCs rather than IPs local to the central DNS server.

Example

In this example, FortiGates at various locations are connected to a central site by VPN tunnels where the corporate DNS server is located. Typically, DNS queries from different sites are sent to the central DNS server and resolved to an IP local to the central site, which might cause latency and performance issues for certain destinations, such as SaaS applications.

The Local Site FortiGate is configured with the Microsoft domain and a local DNS entry. Traffic matching the Microsoft domain is either forwarded to the local DNS server or resolved by the FortiGate, which resolves it to an IP local to the Local Site, thus improving performance.

This example assumes the following have been configured:

  • A successfully operational site-to-site VPN between the Local Site and the Central Site FortiGates (see Site-to-site VPN for more information).

  • Appropriate routing and network interfaces.

  • The client PCs are configured to use the Central DNS Server.

Note

The transparent conditional DNS forwarder feature only works with a proxy-based firewall policy.
Note

By default, DNS server options are not available in the GUI.
To enable DNS server options in the GUI:

  1. Go to System > Feature Visibility.

  2. In the Additional Features section, enable DNS Database.

  3. Click Apply.

To configure the DNS zone and local DNS entries on the Local Site FortiGate in the GUI:

  1. Go to Network > DNS Servers.

  2. In the DNS Database table, click Create New.

  3. Enter a DNS Zone name (SaaS_applications).

  4. Enter a Domain Name (microsoft.com).

  5. Disable the Authoritative setting.

  6. In the DNS Forwarder field, click the + and enter the DNS Forwarder address (172.16.200.3).

  7. Configure the DNS entry:

    1. In the DNS Entries table, click Create New.

    2. Set the Type to Address (A).

    3. Enter a Hostname (office).

    4. Configure the remaining settings as needed. The options vary depending on the selected Type.

    5. Click OK.

    6. Optionally, add more DNS entries if needed.

  8. In the CLI, configure the source IP:

    config system dns-database
    edit "SaaS_applications"
        set source-ip 13.13.13.2
    next
end

    Note

    If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiGate to reach the DNS server. See How to let the FortiGate access internal DNS through site-to-site IPsec VPN for more information.

    Site-to-site VPN is not a mandatory requirement for this feature to work and is only applicable to this example.
To configure the DNS zone and local DNS entries on the Local Site FortiGate in the CLI:
config system dns-database
    edit "SaaS_applications"
        set domain "microsoft.com"
        set authoritative disable
        set forwarder "172.16.200.3" 
        set source-ip 13.13.13.2
        config dns-entry
            edit 1
                set hostname "office"
                set ip 172.16.200.55
            next
        end
    next
end
To add the DNS database to a DNS filter profile:
config dnsfilter profile
    edit "SaaS"
        set transparent-dns-database "SaaS_applications"
    next
end
Note

Multiple DNS databases can be selected for transparent-dns-database.

After selecting a DNS database, users are not permitted to modify the domain name of the zone. Before making any changes to the domain name, remove the reference from the dnsfilter profile.
To apply the DNS filter profile in a firewall policy in the GUI:

  1. Go to Policy & Objects > Firewall Policy and edit the outbound policy towards the IPsec VPN tunnel.

  2. Set the Inspection Mode to Proxy-based.

  3. In the Security Profiles section, enable DNS Filter and select the profile created in the previous procedure (SaaS).

  4. In the Logging Options section, enable Log Allowed Traffic.

  5. Configure the remaining settings as needed.

  6. Click OK.

To apply the DNS filter profile to the outbound policy towards the IPsec VPN tunnel in the CLI:
config firewall policy
    edit 1
        set name "outbound_VPN"
        ...
        set inspection-mode proxy
        set dnsfilter-profile "SaaS"
        set logtraffic enable
        ...
    next
end
To verify the configuration:

From one of the Windows client desktops, use the nslookup command to send various DNS queries.

  1. Send a DNS query for a DNS entry configured locally on the Local Site FortiGate:

    C:\Users\demo>nslookup office.microsoft.com
Server:  Unknown
Address:  192.168.16.254
Non-authoritative answer:
Name:     osiprod-wus-pineapple-100.westus.cloudapp.azure.com 
Address:  172.16.200.55

    The query is resolved to the IP address configured on the Local Site FortiGate.

  2. Send a DNS query for the domain configured on the Local Site FortiGate:

    C:\Users\demo>nslookup teams.microsoft.com
Server:  Unknown
Address:  192.168.16.254
Non-authoritative answer:
Name:     s-0005.s-msedge.net
Address:  172.16.200.254

    The query is resolved by the local DNS server.

  3. Send a DNS query for a domain that is not configured on the Local Site FortiGate:

    C:\Users\demo>nslookup facebook.com
Server:  Unknown
Address:  192.168.16.254
Non-authoritative answer:
Name:    facebook.com
Addresses:  157.240.249.35

    The query is resolved by the central DNS server.

IPv6 support for conditional DNS forwarder

The configuration for IPv6 is similar to an IPv4 conditional DNS forwarder. When configuring the DNS forwarder address, the IPv6 address must be specified.

To configure a DNS forwarder:
config system dns-database
    edit <name>
        set source-ip6 <IPv6_address>
        set forwarder6 <IPv6_address>
    next
end

Note

If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiGate to reach the DNS server. See How to let the FortiGate access internal DNS through site-to-site IPsec VPN for more information.
Previous
Next