Configuring DNS Servers On A FortiGate To Split DNS Traffic Out

5 Replies

FortiGate Split DNS

Use Case: Client has multiple branches that are spread out geographically. These locations utilize a central domain controller for active directory driven resources but need to be able to use local google servers for local domain resolution of content delivery networks, etc. All branches to a headquarters location that is located on the other side of the country (or wide distance from local branch). Local branch does not want users to go across the country for services that are available local.

 

This entry was posted in FortiGate, Fortinet GURU, FortinetGURU Videos, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “Configuring DNS Servers On A FortiGate To Split DNS Traffic Out

  1. Drew Robertson

    I am working on using DNS with Fortigate 6.0.6. I will be upgrading to 6.2.4 next month.

    A few questions regarding DNS

    Why do you use google DNS servers vs FortiGuard? Don’t you give up some features in using google?

    In your posting, “DNS – FortiOS 6.2” you used a Master/Shadow database but in this video you use Slave/Shadow. The application (splitting internal/external DNS requests) appears to be the same in both requirements. Which config is best?

    Lastly, I have see local domains appear as “Newly Observed Domain” Category 90. So if using a policy, they will be blocked/redirected. So I created static domain filters to get around it. However, I would expect any “split” DNS requests to bypass the policy. ARG! Even more annoying, I find domain names to be case sensitive. For example, company.local, Company.local, COMPANT.LOCAL, etc. So my static internal domain list is growing. Have you seen this? Do you know of a way to remove case sensitivity, etc.? Seems absolutely stupid to have case sensitivity with DNS.

    Reply
  2. albert deguiñ

    Hi sir i have a quastion , what the important of primary DNS server 8.8.8.8.? how it is use ?

    Reply
  4. Joel Snyder

    Hi, this is completely wrong. You’re configuring the DNS server to be a slave, which requires a zone transfer. That’s not a caching-forwarder, and that’s a particular flavor of split DNS but not what you described at the beginning. If the upstream DNS is not allowing for zone transfers, this doesn’t work. And it’s a very different kind of scenario than what you described.

    Reply
  5. Jorge Robles

    In IPTables I can capture the DNS requests and re direct it without the user knowledge to the internal DNS servers. How can I achieve that in FG?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.