Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Transparent conditional DNS forwarder NEW

    Transparent conditional DNS forwarder NEW

    The transparent conditional DNS forwarder allows the FortiProxy to intercept and reroute DNS queries for specific domains to a specific DNS server. For example, when a client’s DNS is located in a distant location, in order to resolve destination addresses (such as SaaS applications) to the closest application server, the FortiProxy can intercept and reroute the requests to a local DNS to resolve.

    This is done by parsing entries and creating a list of filters based on the domain names of zones. When a DNS request matches one of these filters, the DNS proxy will retrieve the zone's data. The DNS request will then be handled based on the zone's forwarder settings and whether a local answer is available. It may be forwarded to the original destination address, the forwarder address, or not forwarded at all if a local answer is available.

    This provides greater control over DNS requests, especially when the administrator is not managing the DNS server configuration of the client devices. This can improve network efficiency and performance by resolving IPs local to the client's PCs rather than IPs local to the central DNS server.

    Example

    In this example, FortiProxies at various locations are connected to a central site by VPN tunnels where the corporate DNS server is located. Typically, DNS queries from different sites are sent to the central DNS server and resolved to an IP local to the central site, which might cause latency and performance issues for certain destinations, such as SaaS applications.

    The Local Site FortiProxy is configured with the Microsoft domain and a local DNS entry. Traffic matching the Microsoft domain is either forwarded to the local DNS server or resolved by the FortiProxy, which resolves it to an IP local to the Local Site, thus improving performance.

    This example assumes the following have been configured:

    • A successfully operational site-to-site VPN between the Local Site and the Central Site FortiProxies.

    • Appropriate routing and network interfaces.

    • The client PCs are configured to use the Central DNS Server.

    By default, DNS server options are not available in the GUI.
    To enable DNS server options in the GUI:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable DNS Database.

    3. Click Apply.

    To configure the DNS zone and local DNS entries on the Local Site FortiProxy in the GUI:

    1. Go to Network > DNS Service.

    2. In the DNS Database table, click Create New.

    3. Enter a DNS Zone name (SaaS_applications).

    4. Enter a Domain Name (microsoft.com).

    5. Disable the Authoritative setting.

    6. In the DNS Forwarder field, click the + and enter the DNS Forwarder address (172.16.200.3).

    7. Configure the DNS entry:

      1. In the DNS Entries table, click Create New.

      2. Set the Type to Address (A).

      3. Enter a Hostname (office).

      4. Configure the remaining settings as needed. The options vary depending on the selected Type.

      5. Click OK.

      6. Optionally, add more DNS entries if needed.

    8. In the CLI, configure the source IP:

      config system dns-database
					edit "SaaS_applications"
					set source-ip 13.13.13.2
					next
				end

      If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiProxy to reach the DNS server.

      Site-to-site VPN is not a mandatory requirement for this feature to work and is only applicable to this example.
    To configure the DNS zone and local DNS entries on the Local Site FortiProxy in the CLI:
    config system dns-database
			edit "SaaS_applications"
			set domain "microsoft.com"
			set authoritative disable
			set forwarder "172.16.200.3" 
			set source-ip 13.13.13.2
			config dns-entry
			edit 1
			set hostname "office"
			set ip 172.16.200.55
			next
			end
			next
			end
    To add the DNS database to a DNS filter profile:
    config dnsfilter profile
			edit "SaaS"
			set transparent-dns-database "SaaS_applications"
			next
			end

    Multiple DNS databases can be selected for transparent-dns-database.

    After selecting a DNS database, users are not permitted to modify the domain name of the zone. Before making any changes to the domain name, remove the reference from the dnsfilter profile.
    To apply the DNS filter profile in a firewall policy in the GUI:

    1. Go to Policy & Objects > Policy and edit the outbound policy towards the IPsec VPN tunnel.

    2. In the Security Profiles section, enable DNS Filter and select the profile created in the previous procedure (SaaS).

    3. In the Logging Options section, enable Log Allowed Traffic.

    4. Configure the remaining settings as needed.

    5. Click OK.

    To apply the DNS filter profile to the outbound policy towards the IPsec VPN tunnel in the CLI:
    config firewall policy
			edit 1
			set name "outbound_VPN"
			...
			set dnsfilter-profile "SaaS"
			set logtraffic enable
			...
			next
		end
    To verify the configuration:

    From one of the Windows client desktops, use the nslookup command to send various DNS queries.

    1. Send a DNS query for a DNS entry configured locally on the Local Site FortiProxy:

      C:\Users\demo>nslookup office.microsoft.com
					Server:  Unknown
					Address:  192.168.16.254
					Non-authoritative answer:
					Name:     osiprod-wus-pineapple-100.westus.cloudapp.azure.com 
				Address:  172.16.200.55

      The query is resolved to the IP address configured on the Local Site FortiProxy.

    2. Send a DNS query for the domain configured on the Local Site FortiProxy:

      C:\Users\demo>nslookup teams.microsoft.com
					Server:  Unknown
					Address:  192.168.16.254
					Non-authoritative answer:
					Name:     s-0005.s-msedge.net
					Address:  172.16.200.254

      The query is resolved by the local DNS server.

    3. Send a DNS query for a domain that is not configured on the Local Site FortiProxy:

      C:\Users\demo>nslookup facebook.com
					Server:  Unknown
					Address:  192.168.16.254
					Non-authoritative answer:
					Name:    facebook.com
					Addresses:  157.240.249.35

      The query is resolved by the central DNS server.

    IPv6 support for conditional DNS forwarder

    The configuration for IPv6 is similar to an IPv4 conditional DNS forwarder. When configuring the DNS forwarder address, the IPv6 address must be specified.

    To configure a DNS forwarder:
    config system dns-database
			edit <name>
			set source-ip6 <IPv6_address>
			set forwarder6 <IPv6_address>
			next
		end

    If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiProxy to reach the DNS server.
    Previous
    Next

    Transparent conditional DNS forwarder NEW

    Transparent conditional DNS forwarder NEW

    The transparent conditional DNS forwarder allows the FortiProxy to intercept and reroute DNS queries for specific domains to a specific DNS server. For example, when a client’s DNS is located in a distant location, in order to resolve destination addresses (such as SaaS applications) to the closest application server, the FortiProxy can intercept and reroute the requests to a local DNS to resolve.

    This is done by parsing entries and creating a list of filters based on the domain names of zones. When a DNS request matches one of these filters, the DNS proxy will retrieve the zone's data. The DNS request will then be handled based on the zone's forwarder settings and whether a local answer is available. It may be forwarded to the original destination address, the forwarder address, or not forwarded at all if a local answer is available.

    This provides greater control over DNS requests, especially when the administrator is not managing the DNS server configuration of the client devices. This can improve network efficiency and performance by resolving IPs local to the client's PCs rather than IPs local to the central DNS server.

    Example

    In this example, FortiProxies at various locations are connected to a central site by VPN tunnels where the corporate DNS server is located. Typically, DNS queries from different sites are sent to the central DNS server and resolved to an IP local to the central site, which might cause latency and performance issues for certain destinations, such as SaaS applications.

    The Local Site FortiProxy is configured with the Microsoft domain and a local DNS entry. Traffic matching the Microsoft domain is either forwarded to the local DNS server or resolved by the FortiProxy, which resolves it to an IP local to the Local Site, thus improving performance.

    This example assumes the following have been configured:

    • A successfully operational site-to-site VPN between the Local Site and the Central Site FortiProxies.

    • Appropriate routing and network interfaces.

    • The client PCs are configured to use the Central DNS Server.

    By default, DNS server options are not available in the GUI.
    To enable DNS server options in the GUI:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable DNS Database.

    3. Click Apply.

    To configure the DNS zone and local DNS entries on the Local Site FortiProxy in the GUI:

    1. Go to Network > DNS Service.

    2. In the DNS Database table, click Create New.

    3. Enter a DNS Zone name (SaaS_applications).

    4. Enter a Domain Name (microsoft.com).

    5. Disable the Authoritative setting.

    6. In the DNS Forwarder field, click the + and enter the DNS Forwarder address (172.16.200.3).

    7. Configure the DNS entry:

      1. In the DNS Entries table, click Create New.

      2. Set the Type to Address (A).

      3. Enter a Hostname (office).

      4. Configure the remaining settings as needed. The options vary depending on the selected Type.

      5. Click OK.

      6. Optionally, add more DNS entries if needed.

    8. In the CLI, configure the source IP:

      config system dns-database
					edit "SaaS_applications"
					set source-ip 13.13.13.2
					next
				end

      If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiProxy to reach the DNS server.

      Site-to-site VPN is not a mandatory requirement for this feature to work and is only applicable to this example.
    To configure the DNS zone and local DNS entries on the Local Site FortiProxy in the CLI:
    config system dns-database
			edit "SaaS_applications"
			set domain "microsoft.com"
			set authoritative disable
			set forwarder "172.16.200.3" 
			set source-ip 13.13.13.2
			config dns-entry
			edit 1
			set hostname "office"
			set ip 172.16.200.55
			next
			end
			next
			end
    To add the DNS database to a DNS filter profile:
    config dnsfilter profile
			edit "SaaS"
			set transparent-dns-database "SaaS_applications"
			next
			end

    Multiple DNS databases can be selected for transparent-dns-database.

    After selecting a DNS database, users are not permitted to modify the domain name of the zone. Before making any changes to the domain name, remove the reference from the dnsfilter profile.
    To apply the DNS filter profile in a firewall policy in the GUI:

    1. Go to Policy & Objects > Policy and edit the outbound policy towards the IPsec VPN tunnel.

    2. In the Security Profiles section, enable DNS Filter and select the profile created in the previous procedure (SaaS).

    3. In the Logging Options section, enable Log Allowed Traffic.

    4. Configure the remaining settings as needed.

    5. Click OK.

    To apply the DNS filter profile to the outbound policy towards the IPsec VPN tunnel in the CLI:
    config firewall policy
			edit 1
			set name "outbound_VPN"
			...
			set dnsfilter-profile "SaaS"
			set logtraffic enable
			...
			next
		end
    To verify the configuration:

    From one of the Windows client desktops, use the nslookup command to send various DNS queries.

    1. Send a DNS query for a DNS entry configured locally on the Local Site FortiProxy:

      C:\Users\demo>nslookup office.microsoft.com
					Server:  Unknown
					Address:  192.168.16.254
					Non-authoritative answer:
					Name:     osiprod-wus-pineapple-100.westus.cloudapp.azure.com 
				Address:  172.16.200.55

      The query is resolved to the IP address configured on the Local Site FortiProxy.

    2. Send a DNS query for the domain configured on the Local Site FortiProxy:

      C:\Users\demo>nslookup teams.microsoft.com
					Server:  Unknown
					Address:  192.168.16.254
					Non-authoritative answer:
					Name:     s-0005.s-msedge.net
					Address:  172.16.200.254

      The query is resolved by the local DNS server.

    3. Send a DNS query for a domain that is not configured on the Local Site FortiProxy:

      C:\Users\demo>nslookup facebook.com
					Server:  Unknown
					Address:  192.168.16.254
					Non-authoritative answer:
					Name:    facebook.com
					Addresses:  157.240.249.35

      The query is resolved by the central DNS server.

    IPv6 support for conditional DNS forwarder

    The configuration for IPv6 is similar to an IPv4 conditional DNS forwarder. When configuring the DNS forwarder address, the IPv6 address must be specified.

    To configure a DNS forwarder:
    config system dns-database
			edit <name>
			set source-ip6 <IPv6_address>
			set forwarder6 <IPv6_address>
			next
		end

    If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the FortiProxy to reach the DNS server.
    Previous
    Next