Fortigate 50e – Setting Up Conditional Forwarding

dnsfortigate

my first post here, any help is appreciated.
I have a fortigate 50E with a bunch of PCs connected to it which form my internal network. One of the PCs is running a web app (Confluence to be precise). I can access this app from within the internal network with . Now I'd like to be able to access it from the internal network using something like 'confluence.myoffice.com:someport'. I also have confluence.myoffice.com as subdomain with my webhoster, but which I don't expect to see if I open that url from my local network.
I read about conditional port forwarding and set it up via the Fortigate CLI:

config system dns-database
    edit "my_forward"
        set authoritative disable
        set domain "confluence.myoffice.com"
        set forwarder "<myIP>"
    next
end

and also set up the interface, so that in my Fortigate UI I see:

However when I open a browser on my internal network with confluence.myoffice.com it takes me to the public version. How can I check that the Fortigate settings are taking effect?

I followed @Zac67 instructions and have the following now:

but when I do nslookup from a machine in the LAN it still seems to go through the usual DNS:

This is what I get from the Fortigate console:

Best Answer

For local name resolution you need to set up 3 things:
1- a DNS zone
2- at least one A record in that zone
3- a DNS on the interface where your internal hosts are

A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in config system dns-database:

config system dns-database
    edit "MyCompanyZone"
        set status enable
        set domain "mycompany.local"
        set type master
        set view shadow
        set ttl 14400
        set authoritative enable
        config dns-entry
            edit 1
                set status enable
                set type A
                set ttl 0
                set hostname "namea"
                set ip 192.168.234.10
            next
            edit 2
                set status enable
                set type A
            ...
         end
      next
   end
end

This zone only holds records for your private hosts and thus it must be 'authoritative'!
Next, the record(s). They are created in the config dns-entry section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate.

Then you set up a DNS for your hosts to use, here on the 'lan' interface:

config system dns-server
    edit "lan"
        set mode recursive
    next
end

# explanation for the mode parameter:  
# set mode
recursive        Shadow DNS database and forward.
non-recursive    Public DNS database only.
forward-only     Forward only.

As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS.

Now you can resolve a local hostname like 'namea.mycompany.local'.

At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask.

Best Answer

Related Solutions

Firewall – load-balancing difference between DNS and IP – forwarding vs redirecting

Fortigate – Fixing HTTP/HTTPS Traffic Connections Timeout

Related Topic