Very common scenario – Branch office with no local server uses site-to-site VPN to a corporate server infrastructure.
Many things are commonly controlled centrally in the data center and rely on a stable VPN connection:
- Domain Controllers for authentication
- Domain Controllers for DNS
- Centralized DHCP
- Wireless LAN Controller for AP management
- File servers
- Line of Business applications (ERP/CRM)
- Terminal servers
- That place they took your firstborn after you signed on
What happens when there’s a problem with the servers or Internet service at the data center, or the IPSec VPN has to operate cross-vendor and some malformed packet keeps causing the VPN to fail? Or what if the connection to the data center traverses a metered link?
I believe that unless company policy states otherwise, it is best to account for a scenario where the VPN goes down. That means moving basic network services local where possible.
Use Case
In my case, I have a number of clients that have branch offices that fall into this scenario – local Internet access, VPN to corporate resources, no local server.
Most network platforms can serve DHCP to varying degrees of capability, APs can run in FlexConnect/H-REAP mode to avoid sending data traffic over the CAPWAP tunnel, and credentials can be cached for enough time that having a local DC shouldn’t matter.
DNS, though, has always been the catch. Not many platforms can do anything more than forward DNS queries, if they even support that. Without local name resolution, that VPN to corporate is required for any and all Internet access.
FortiGate DNS Capabilities
FortiGate can be set to respond to DNS queries, which it then forwards on to its locally-defined DNS servers. This is easily configurable in the GUI. However, under the hood, the FortiGate DNS service can be configured with more capabilities.
YatzNet-FG61E-01 (internal) # show full-configuration config system dns-server edit "internal" set mode recursive set dnsfilter-profile '' next end
YatzNet-FG61E-01 (internal) # set mode ? recursive Shadow DNS database and forward. non-recursive Public DNS database only. forward-only Forward only. YatzNet-FG61E-01 (internal) #
By default, FortiGate runs in forward-only mode. By setting this to recursive, it makes the local DNS database available for split-brain functionality or forwarder re-targeting.
Note: Changing the mode is initially a CLI-only option. Once you set it though, the option becomes available in the GUI (as of FortiOS 5.6.5). The “DNS Servers” menu becomes visible when enabling DNS Database in Feature Visibility.
Here you can see the options greyed out. Once set in the CLI they become selectable.
This is my annotated baseline configuration.
# Create the listener service for the interface in recursive mode config system dns-server edit "internal" set mode recursive next end # Create a local zone config and split-brain records if needed # - Setting authoritative to disable allows other records in # the same domain to be queried from an upstream server; # the whole zone won't be overridden, just the records specified # - In this case, "firewall.yatznet.com" allows me to manage my # firewall from LAN using the same FQDN as I would from the # WAN - especially important to avoid SSL certificate warnings # - The company domain is specified to push DNS lookups over the # VPN to the corporate DCs # - Anything not listed here will be handled recursively to the # system DNS servers config system dns-database edit "yatznet.com" set domain "yatznet.com" set ttl 300 set authoritative disable config dns-entry edit 1 set hostname "firewall" set type A set ip 192.168.1.1 next end next edit "domain.company.com" set domain "domain.company.com" set ttl 300 set authoritative disable set forwarder "10.10.0.11" set source-ip 192.168.1.1 next end
As shown above, by setting a domain to non-authoritative and re-targeting the forwarders, you can effectively force corporate domain name resolution over the VPN while using your local Internet connection for normal browsing. Just don’t forget to also set the source-ip for the DNS recursion, since it has to be part of the interesting traffic for VPN traversal.
Here is a list of other record types available for local entry.
YatzNet-FG61E-01 # config system dns-database YatzNet-FG61E-01 (dns-database) # edit yatznet.com YatzNet-FG61E-01 (yatznet.com) # config dns-entry YatzNet-FG61E-01 (dns-entry) # edit 1 YatzNet-FG61E-01 (1) # set type ? A Host type. NS Name server type. CNAME Canonical name type. MX Mail exchange type. AAAA IPv6 host type. PTR Pointer type. PTR_V6 IPv6 pointer type.
As you can see, many common record types are available (not complete, but enough for most purposes).
Granted, some organizations don’t want this due to policy constraints. However, I like using this whenever a local server isn’t available for its versatility and improved user experience.
Have you seen this or used this functionality before? Do you know of other firewall products with this capability?