DNS translation

DNS translation

Using this feature, you can translate a DNS resolved IP address to another IP address you specify.

For example, website A has a public address 1.2.3.4. However, when your internal network users visit this website, you want them to connect to an internal host, say, 192.168.3.4. In this case, you can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable, for example, if you want public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.

Sample configuration

This example configuration forces the DNS Filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4. So when internal network users do DNS query for www.example.com, they do not get the original www.example.com IP of 93.184.216.34. It will be replaced with 192.168.3.4.

To configure DNS translation on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter profile.
  2. Enable DNS Translation and click Create New.
  3. Enter the Original Destination (the domain’s original IP address), the Translated Destination IP address, and the Network Mask (in most cases, it’s 255.255.255.255).

To configure DNS translation on CLI:

config dnsfilter profile edit “demo” set comment ” … config dns-translation  <<<==== edit 1 set src 93.184.216.34 set dst 192.168.3.4

set netmask 255.255.255.255

next

end set redirect-portal 0.0.0.0 set redirect-portal6 ::

set youtube-restrict strict

next

end

To check DNS translation using a command line tool before DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27030

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com.

;; AUTHORITY SECTION:

 33946 IN  A 93.184.216.34
example.com.  18578 IN  NS  b.iana-servers.net.
example.com.  18578 IN  NS  a.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 10:47:26 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

To check DNS translation using a command line tool after DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62060

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com. into 192.168.3.4

;; AUTHORITY SECTION:

 32491 IN  A 192.168.3.4  <<<==== resolved IP translated
example.com.  17123 IN  NS  b.iana-servers.net.
example.com.  17123 IN  NS  a.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 11:11:41 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

How DNS translation network mask work

The following is an example of DNS translation and result.

config dns-translation edit 1

set src 93.184.216.34

set dst 1.2.3.4

set netmask 255.255.224.0 next

end

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6736

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com.

;; AUTHORITY SECTION:

 29322 IN  A 1.2.24.34
example.com.  13954 IN  NS  a.iana-servers.net.
example.com.  13954 IN  NS  b.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 12:04:30 PDT

;; From 172.16.95.16@53(UDP) in 2.0 ms

  • AND src(Orginal IP) with negative netmask (93.184.216.34 & ~255.255.224.0)

01011101.10111000.11011000.00100010 93.184.216.34 <– ip

00000000.00000000.00011111.11111111 ~255.255.224.0 <– ~netmask

——————————————————– &

00000000.00000000.00011000.00100010 0.0.24.34 <- right bits

  • AND dst(Translated IP) with netmask

00000001.00000010.00000011.00000100 1.2.3.4 <- dst

11111111.11111111.11100000.00000000 255.255.224.0 <- netmask

——————————————————– & 00000001.00000010.00000000.00000000 1.2.0.0 <- left bits

  • Final step 2 bitwise-OR 3:

00000000.00000000.00011000.00100010 0.0.24.34

00000001.00000010.00000000.00000000 1.2.0.0

——————————————————– | 00000001.00000010.00011000.00100010 1.2.24.34

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.