Split DNS Rules
FortiSASE agent-based users often must resolve internal hostnames that public DNS servers cannot resolve in scenarios including but not limited to:
-
When users are located within the organization’s local network, also known as being on-net, and users must use an internal DNS server instead of a public DNS server.
-
When users are located remotely, FortiSASE Private Access has been configured with Secure Private Access (SPA) hubs, and users must use an internal DNS server behind the SPA hub.
To support these scenarios,FortiSASE DNS settings can be configured for split DNS using Split DNS Rules.
Split DNS works as follows:
-
Selectively use an internal DNS server only when it is necessary to resolve hostnames for the specified internal domain(s).
-
Resolve all other hostnames for external domains using the implicit DNS rule.
Split DNS is more efficient than sending all DNS requests to internal DNS servers because it reduces any potential latency and downtime with using internal DNS servers for resolving public hostnames if any issues arise with these limited availability and limited resource internal DNS server deployments. For resolving hostnames for external domains, split DNS leverages the redundancy, extensive resources, and geographical coverage of public DNS servers with anycast capabilities.
For the scenario with on-net users who must use an internal DNS server to resolve hostnames for the internal domain, configuring split DNS using an internal DNS server with a private IP address and without an SPA hub configured in FortiSASE yields inconsistent results. When an SPA hub is not configured in FortiSASE, ensure that split DNS is configured using an internal DNS server with a public IP address. Split DNS supports using an internal DNS server with a private IP address only when an SPA hub is configured in FortiSASE. |
To secure DNS requests, the DNS-over-HTTPS (DoH) protocol secures DNS requests and replies sent and received over HTTPS and works with public DNS servers that support this protocol. DoH is enabled by default on modern web browsers including Chrome, Edge, and Firefox and is supported by Google’s public DNS servers, which is the default for upgraded FortiSASE deployments. Therefore, for split DNS rules to work with DNS servers that support DoH, SSL deep inspection must be enabled for agent-based remote users on FortiSASE.
Prerequisites
SSL Deep Inspection
Split DNS requires SSL deep inspection to be enabled on FortiSASE so that FortiSASE can intercept the DNS traffic.
-
To confirm SSL deep inspection is enabled, go to Configuration > Security and under the SSL Inspection widget ensure Deep Inspection is displayed.
-
To enable SSL deep inspection, go to Configuration > Security and in the SSL Inspection widget click on Customize. In the SSL Inspection pane, select Deep Inspection and click OK.
See Certificate and deep inspection modes for further details on deep inspection.
Access to Internal DNS Server
Ensure that your FortiSASE remote users have access to the internal DNS server.
For the scenario with on-net users who must use an internal DNS server to resolve hostnames for the internal domain, configuring split DNS using an internal DNS server with a private IP address and without an SPA hub configured in FortiSASE yields inconsistent results. When an SPA hub is not configured in FortiSASE, ensure that split DNS is configured using an internal DNS server with a public IP address. Split DNS supports using an internal DNS server with a private IP address only when an SPA hub is configured in FortiSASE. |
Configuring Split DNS Rules
To configure Split DNS Rules:
-
Go to Configuration > DNS.
-
Click Create.
-
In the Create DNS Rule pane, enter the Primary DNS Server, (optional) Secondary DNS Server, and one or more Domains. Click + to add more fields to enter in additional domains. Click OK.
-
Observe that the split DNS rule has been created and is displayed in the table.
If you are using split DNS to resolve local domains using an internal DNS server with an SPA hub configured, then the Web Filter or DNS Filter blocks access to these local domains from FortiClient remote users if the Newly Observed Domain category is set to Block in the respective security component. In this case, you must create URL Filter entries for the Web Filter or Domain Filter entries for the DNS Filter to allow access to these local domains. |
If you are using split DNS to resolve local domains using an internal DNS server with an SPA hub configured, to ensure access to the internal DNS server from FortiClient remote users you must have a Private Access policy configured that allows DNS requests to that specific server. |