DNS – FortiOS 6.2

DNS

Introduction

DNS (Domain Name System) is used by devices connecting to the Internet to locate websites by mapping a domain name to a website’s IP address. For example, a DNS server maps the domain name www.fortinet.com to the IP address 66.171.121.34.

A FortiGate can serve different roles based on user requirements:

  • A FortiGate can control which DNS serves network uses. l A FortiGate can function as a DNS server.
  • FortiGuard Dynamic Domain Name Service (DDNS) allows a remote administrator to access a FortiGate’s Internetfacing interface using a domain name that remains constant even when its IP address changes.

FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to complete the transaction.

The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP or web servers defined by their domain names.

FGT_A (dns) # set

*primary Primary DNS server IP address. secondary       Secondary DNS server IP address. dns-over-tls Enable/disable/enforce DNS over TLS.

ssl-certificate Name of local certificate for SSL connections. domain Search suffix list for hostname lookup.

ip6-primary     Primary DNS server IPv6 address. ip6-secondary Secondary DNS server IPv6 address.

timeout  DNS query timeout interval in seconds (1 – 10). retry Number of times to retry (0 – 5). dns-cache-limit      Maximum number of records in the DNS cache. dns-cache-ttl Duration in seconds that the DNS cache retains information.

cache-notfound-responses     Enable/disable response from the DNS server when a record is not in cache. source-ip      IP address used by the DNS server as its source IP.

FGT_A (dns) # set Important DNS commands

dns-over-tls

FortiGate version 6.2 adds DNS over TLS (DoT) support. DoT is a security protocol for encrypting and wrapping DNS queries and answers via the Transport Layer Security (TLS) protocol.

FGT_A (dns) # set dns-over-tls disable     Disable DNS over TLS. enable     Use TLS for DNS queries if TLS is available. enforce       Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.

cache-notfound-responses

When you enable DNS cache not found responses, any DNS requests that are returned with NOT FOUND can be stored in the cache. When enabled, the DNS server is not asked to resolve the host name for NOT FOUND entries.

config system dns set cache-notfound-responses enable

end dns-cache-limit

This command enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.

config system dns set dns-cache-limit 2

end dns-cache-ttl

This command enables you to set how long entries remain in the cache.

FGT_A (dns) # set dns-cache-limit dns-cache-limit Enter an integer value from <0> to <4294967295> (default = <5000>). DNS troubleshooting

The FortiGate CLI can collect the following list of DNS debug information.

FGT_A (global) # diagnose test application dnsproxy worker idx: 0 1. Clear DNS cache

  1. Show stats
  2. Dump DNS setting
  3. Reload FQDN
  4. Requery FQDN
  5. Dump FQDN
  6. Dump DNS cache
  7. Dump DNS DB
  8. Reload DNS DB
  9. Dump secure DNS policy/profile
  10. Dump Botnet domain
  11. Reload Secure DNS setting
  12. Show Hostname cache
  13. Clear Hostname cache
  14. Show SDNS rating cache
  15. Clear SDNS rating cache
  16. DNS debug bit mask
  17. Restart dnsproxy worker

The example below shows useful information about the ongoing DNS connection.

Important fields include:

tls 1 if the connection is TLS. 0 for non-TLS connection.
rt Round trip time of the DNS latency.
probe The number of probes sent.

FGT_A (global) # diagnose test application dnsproxy 3 worker idx: 0

vdom: root, index=0, is master, vdom dns is disabled, mip-169.254.0.1 dns_log=1 tls=0 cert= dns64 is disabled

vdom: vdom1, index=1, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert= dns64 is disabled

dns-server:208.91.112.220:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:8.8.8.8:53 tz=0 tls=0 req=73 to=0 res=73 rt=5 rating=0 ready=1 timer=0 probe=0 failure=0 last_failed=0

dns-server:65.39.139.63:53 tz=0 tls=0 req=39 to=0 res=39 rt=1 rating=0 ready=1 timer=0 probe=0 failure=0 last_failed=0

dns-server:62.209.40.75:53 tz=60 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:209.222.147.38:53 tz=-300 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:173.243.138.221:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:45.75.200.89:53 tz=0 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=-1

DNS FD: udp_s=12 udp_c=17:18 ha_c=22 unix_s=23, unix_nb_s=24, unix_nc_s=25 v6_udp_s=11, v6_udp_c=20:21, snmp=26, redir=13, v6_redir=14

DNS FD: tcp_s=29, tcp_s6=27, redir=31 v6_redir=32

FQDN: hash_size=1024, current_query=1024

DNS_DB: response_buf_sz=131072

LICENSE: expiry=2015-04-08, expired=1, type=2

FDG_SERVER:208.91.112.220:53

FGD_CATEGORY_VERSION:8

SERVER_LDB: gid=eb19, tz=-480, error_allow=0 FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:

DNS proxy performance enhancement

For a FortiGate with multiple CPUs, version 6.2 adds a new CLI command to allow the customer to set the DNS process number from 1 to the number of CPUs. The default DNS process number is 1.

config system global set dnsproxy-worker-count 4

end

Note: The range of dnsproxy-worker-count is 1 to the number of CPUs that the FortiGate has.

To debug DNS proxy on the worker ID, use the following command. The following example runs test commands on the second dnsproxy worker. If you do not specify worker ID, the default worker ID is 0.

#diagnose test application dnsproxy 7 1

Similarly, the following command enables debug on the second worker.

#diagnose debug application dnsproxy -1 1

For debugging, you can also enable it on all workers by specifying -1 as worker ID.

#diagnose debug application dnsproxy -1 -1

DNS local domain list

End-users who commonly use incomplete URLs without a domain (for example: http://host1) rely on the proxy to locate the domain and resolve the address. If the configured domain is company.com and the URL is http://host1, the DNS feature will send a request for host1.company.com to a DNS server for the IP address. If you have local Microsoft domains on the network, you can enter a domain name in the Local Domain Name field. In situations where all three fields are configured, the FortiGate first looks to the local domain, and if no match is found, sends a request to the external DNS servers.

Whenever a client requests a URL which does not include a fully qualified domain name (FQDN), FortiGate resolves the URL by traversing through the DNS suffix list and doing a DNS query for each entry until the first match. Sample configuration

To configure a FortiGate’s DNS domain list in the GUI:

  1. By default, FortiGate is configured to use FortiGuard’s DNS servers which are primary (208.91.112.53) and secondary (208.91.112.52).
  2. To configure the DNS server addresses, go to Network > DNS and select Specify, then enter the preferred DNS server addresses.

For example: 172.16.200.1 as the primary DNS server and 172.16.200.2 as the secondary.

  1. FortiGate supports a total of eight local domain lists.

To configure a FortiGate’s DNS domain list in the CLI:

Additional DNS configuration options are available in the CLI using the config system dns command.

New CLI commands added in 6.2 allow users to set up to eight domains. Retry Time and Timeout values can be configured to define how many attempts the FortiGate makes to search a particular domain and when FortiGate gives up on the domain.

FGT_B (dns) # set domain

*domain   DNS search domain list separated by space (maximum 8 domains)

config system dns set primary 172.16.200.1

set domain “sample.com” “example.com” “domainname.com” end

FG3H1E5818900749 (global) # config system dns

FG3H1E5818900749 (dns) # set

*primary Primary DNS server IP address. secondary       Secondary DNS server IP address. domain Search suffix list for hostname lookup. ip6-primary    Primary DNS server IPv6 address. ip6-secondary Secondary DNS server IPv6 address.

timeout  DNS query timeout interval in seconds (1 – 10). retry Number of times to retry (0 – 5). dns-cache-limit      Maximum number of records in the DNS cache. dns-cache-ttl Duration in seconds that the DNS cache retains information.

cache-notfound-responses     Enable/disable response from the DNS server when a record is not in cache. source-ip      IP address used by the DNS server as its source IP.

FG3H1E5818900749 (dns) # set timeout timeout     Enter an integer value from <1> to <10> (default = <5>).

FG3H1E5818900749 (dns) # set retry retry   Enter an integer value from <0> to <5> (default = <2>).

DNS local domain example

In the example below, the local domain resolves host1 to 1.1.1.1 and host2 to 2.2.2.2. The local DNS server has an entry for host1 mapped to the FQDN of host1.sample.com and a second entry for host2 mapped to the FQDN of host2.example.com.

ping host1

PING host1.sample.com (1.1.1.1): 56 data bytes

ping host2

PING host2.example.com (2.2.2.2): 56 data bytes

Using FortiGate as a DNS server

This topic provides the following sample configurations: l About using a DNS server to resolve internal and external requests

l About using an internal DNS server for internal requests and a public DNS server for external requests

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (master DNS server) or use it as a jumping point where the server refers to an outside source (slave DNS server).

In version 6.2, FortiGate as a DNS server also supports TLS connections to a DNS client.

Sample configuration about DNS servers

This section describes how to set up a FortiGate to use a DNS server for resolving internal and external requests.

To configure FortiGate as a DNS server using the GUI:

  1. Ensure the DNS Database feature is visible.
  2. Go to System > Feature Visibility and ensure DNS Database is enabled.
  3. Add the DNS entry to the FortiGate DNS server.
  4. Go to Network > DNS Servers.
  5. Under DNS Database, click Create New.
    • For Type, select Master.
    • For View, select Shadow.

View controls the accessibility of the DNS server. If you select Public, external users can access or use the DNS server. If you select Shadow, only internal users can use it.

  • Enter a DNS Zone, for example, WebServer. l Enter the Domain Name of the zone, for example, com. l Enter the Hostname of the DNS server, for example, Corporate. l Enter the Contact Email Address for the administrator, for example, admin@example.com. l Disable Authoritative.
  • Click OK.
  1. Under DNS Entries, click Create New.
    • Select the Type, for example, Address (A). l Enter the Hostname, for example, example. l Specify the remaining fields depending on the Type you select.
    • Click OK.
  1. Enable the DNS service on the interface.
  1. Go to Network > DNS Servers.
  2. Under DNS Service, click Create New. l Select the Interface.

l For Mode, select Recursive. l Click OK.

To configure FortiGate as a DNS server using the CLI:

config system dns-database edit “example” set domain “fortinet.com” config dns-entry edit 1 set hostname “example” set ip 2.3.3.4

next

end set primary-name “Corporate” set contact “admin@example.com”

next

end

To configure DNS query using the CLI:

config system dns-server

edit wan1 set mode recursive end

Run dig to query the FortiGate DNS server. Dig (Domain Information Grouper) is a Unix-like network administration command line tool for querying DNS servers.

root@PC05:~# dig @172.16.200.1 example.fortinet.com

; <<>> DiG 9.11.0-P1 <<>> @172.16.200.1 example.fortinet.com

; (1 server found) ;; global options: +cmd ;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51137

;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;example.fortinet.com.          IN      A

;; ANSWER SECTION:

example.fortinet.com. 86400 IN        A       2.3.3.4

;; Query time: 0 msec

;; SERVER: 172.16.200.1#53(172.16.200.1)

;; WHEN: Thu Jan 10 10:24:01 PST 2019

;; MSG SIZE rcvd: 54

Sample configuration about internal and public DNS servers

This section describes how to set up a FortiGate to use an internal DNS server for resolving internal requests and a public DNS server for resolving external requests.

To configure FortiGate using the CLI:

  1. Set up a forwarder for the DNS database:

In this example, an IP address of 172.16.100.100 is used to resolve the domain fortinet.com:

config system dns-database edit “corp” set domain “fortinet.com” set authoritative disable set forwarder “172.16.100.100”

next

  1. Set up a listening interface:

In this example, you are setting up the listening interface to connect to the host. FGT_A (dns-server) # show config system dns-server edit “wan1”

next

end

  1. Set the system DNS to 8.8.8.8 for all other queries:

config system dns set primary 8.8.8.8 end

Technical information

The Type of the DNS Database Zone can be one of the following:

  • A Master zone is an editable version of a zone. l A Slave zone is a synchronized read-only copy from another DNS server that holds the master zone.

The View of the DNS Database Zone can be one of the following:

  • Public view is usually a general (outside) view of a DNS zone.
  • Shadow views in this context are used to present a different view of a zone to local networks, that is, shadow view might contain different IPs and names).

The DNS Database Zone can be one of the following categories:

  • An Authoritative zone claims to hold all existing entries concerning this zone. A DNS server holding an authoritative zone serves requests to this zone only from its local zone file, that is, it does not perform additional recursive requests such as matching this zone to other defined DNS servers for zone records which do not exist in this zone file.
  • An Unauthoritative zone serves the records it holds itself from the local zone file and performs recursive request to other defined DNS servers for requests that match the zone but are not listed in the local zone file.

The Mode of the DNS Service can be one of the following:

  • Recursive DNS servers performs DNS lookups to other defined DNS servers for any zone requests they cannot fulfill from local files. l Non-recursive DNS servers only serve from local zone files. l Forward to system DNS forwards the query to the FortiGate’s configured system DNS.

FortiGuard DDNS

If your ISP changes your external IP address regularly and you have a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

You can configure FortiGuard as the DDNS server using the GUI or CLI.

Sample topology

Sample configuration

To configure FortiGuard as a DDNS server in the FortiGate using the GUI:

  1. Go to Network > DNS and enable FortiGuard DDNS.
  2. Select the Interface with the dynamic connection.
  3. Specify the other fields.

To configure FortiGuard as a DDNS server in the FortiGate using the CLI:

config system fortiguard set ddns-server-ip set ddns-server-port end

If you don’t have a FortiGuard subscription or want to use a different DDNS server, you can configure DDNS in the CLI. You can configure a DDNS for each interface. Only the first configured port appears in the FortiGate GUI. Additional commands vary depending on the DDNS server you select. Use the following CLI commands:

config system ddns edit <DDNS_ID> set monitor-interface <external_interface> set ddns-server <ddns_server_selection> next end

You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured.

To configure FortiGate to refresh DDNS IP addresses using the CLI:

config system ddns edit <1> set ddns-server FortiGuardDDNS set use-public-ip enable set update-interval seconds

next end

The possible values for update-interval are 60 to 2592000 seconds, and the default is 300 seconds.

When clear-text is disabled, FortiGate uses the SSL connection to send and receive (DDNS) updates.

To disable cleartext and set the SSL certificate using the CLI:

config system ddns set clear-text disable set ssl-certificate <cert_name> end

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDS update of the AA field every time even if the DHCP client does not request it. This allows supporting the allow/ignore/deny client-updates options.

To enable DDNS update override using the CLI:

config system dhcp server edit <0>

set ddns-update_override enable

next end

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “DNS – FortiOS 6.2

  1. marwan

    Hello Mike

    Thank you for this good overview. I watch your videos as well. great content btw.
    I have a question about this DNS config:
    our firewalls have the fortiguard configured as DNS servers but are not currently reachable. we would like to use internal DNS servers instead. what would be the impact on the production for switching to these internal DNS servers??
    Regards,

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.