FortiGate DNS: Serving DNS Databases

Fortigate DNS KB ID 0001796

Problem

A colleague rang to ask if I had any thoughts about a problem that they were having, we do a lot of VMware VCSA upgrades for customers, the process fails if there is no DNS resolution of the FQDN during the upgrade process. We had tried to fix the problem by creating hosts records (typically we don’t have access to the client’s DNS servers that run in the virtual environment). I had thought (wrongly) that it simply needed to lookup the FQDN, but I’m told it also needs to do a reverse lookup (locate a PTR record).

We could of course just spin up either a Windows server and put DNS on it, or a Linux BIND server, but what if we could use the firewall? With Cisco this is a non starter, but what about the clients that have FortiGate?

FortiGate DNS

By default the feature isn’t enabled, you need to go to System > Feature Visibility > DNS Database > Enable it > Apply.

Network > DNS Servers > Create New.

Select the interface that will serve DNS queries > OK.

Back at the min page under DNS Database > Create New > Give the zone a sensible name > Set the domain name > Under  DNS Entries > Create New.

First create a host (A Record) that will point the FQDN to the correct IP address.

Then create a pointer (PTR Record) that will point the IP address back to the FQDN.

It should look something like this > OK.

Then test from a client that’s connected to the Interface serving DNS requests.

Related Articles, References, Credits, or External Links

NA