Firewall – Avoiding split brain DNS for a Fortigate Web Proxy

domain-name-systemfirewallfortigatefortinet

How can I avoid needing a split brain DNS setup with the setup outlined below?

Background

I have what "should" be a pretty basic setup using a Fortigate 200D.

'Third leg' setup using a DMZ
Explicitly defined web proxy for internal users
Default gateway may be set to this device.
External DNS for our public facing websites.

Every time I look for or ask about this setup I get a pointed towards this documentation, which inherently implies split brain DNS via different IP addresses for access from internal resources.
I'm trying really hard to avoid going back that route.

I'm getting the following response, which makes me think that the traffic wasn't being routed correctly.

403 Forbidden: incorrect proxy service was requested

The logs haven't shown any insight so far. I have also tried a packet capture (both on a shared web server and the Fortigate). They both indicate that the packets are dying within the Fortigate.

Best Answer

If you are wanting to avoid split brain DNS then external users would go to www.timistheman.com pointed at the external IP that's VIP/NAT'd down and internal would go to www.mdmarra.local pointed at the internal IP that is routed into the DMZ from the LAN.

If you are wanting internal and external users to resolve to the same FQDN then either split DNS to different IPs or route internal users out and back in (router on a stick).

Related Solutions

Split Brain DNS and DNS Forwarding Explained

I don't think this is possible, AD.DOMAIN.COM believes it is the authoritative source for this domain and will respond with NXDOMAIN no matter what.
I would really advice you to create a subdomain to put your AD into. As your setup grows this will become a bigger problem and manually adding hosts to both zones doesn't seem like a nice task.

It would be possible to run a Active Directory with a BIND DNS server.
What you could do is merge the zones and allow updates from the AD.DOMAIN.COM server.
However this requires the DOMAIN.COM zone to be a dynamic zone.

Split DNS – Cleanest solution for easy maintenance

In a network where one of the authoritative nameservers sits on the border of the internal network, I use bind views and the $INCLUDE directive:

mydomain-global.zone:

@ IN SOA ns1 hostmaster ( 12345; 1D; 2M; 1M; 3H )
  IN NS ns1
  IN NS ns2

  IN MX 10 mail

  www               IN A 1.2.3.4
  other-public-host IN A 1.2.3.5

mydomain-internal.zone:

$INCLUDE mydomain-global.zone

an-internal-record IN A   10.20.30.40
_kerberos          IN SRV 0 0 88 dir

The zones are chosen based on view definitions:

view "internal" {
  match-clients { 10.0.0.0/8; };
  zone "mydomain" {
    type master;
    file "mydomain-internal.zone";
  };
  include "named.conf.internalzones";
}

view "global" {
  match-clients { any; };
    zone "mydomain" {
    type master;
    file "mydomain-global.zone";
  };

To be able to assign a record different targets for internal/external queries, add two further zone fragments and $INCLUDE at the bottom of mydomain-(internal|global).zone.

Best Answer

Related Solutions

Split Brain DNS and DNS Forwarding Explained

Split DNS – Cleanest solution for easy maintenance

Related Topic