3

Can you advise on moving to a hybrid DNS?

Currently, all our LAN machines receive their IP address from our Fortigate 60D (each machine is either allocated an IP address from the Fortigate DHCP, or has a static IP address set in the Fortigate).
Our DNS records are currently managed from fortiddns.com.

Can I create a local DNS server, that will perform name-resolution for some of our LAN machines?

boardrider
  • 949
  • 2
  • 18
  • 29
  • is this an active directory environment? – SteamerJ Dec 10 '18 at 21:21
  • No, @SteamerJ. Is active directory necessary? – boardrider Dec 10 '18 at 22:13
  • It is not, but usually when you're connecting to computers via name that's in play. If you have all your computers using fqdn names with the same domain name then you can set up a small server locally that is authoritative for that domain. I would suggest not using the same domain that you have in fortindns.com. if, for example you have mydomain.com in fortindns then you could do a subdomain of that for your local dbs server such as workgroup.mydomain.com and each of your computers would be named like this: computer1.workgroup.mydomain.com – SteamerJ Dec 10 '18 at 23:37
  • Thanks for the suggestions, @SteamerJ. Actually, our DHCP server uses `.local` as the domain in our LAN (e.g., `server1.local`), so, if it'd be possible, I'd continue to use *.local as the FQDN. None of our LAN machines are exposed across our firewall, so that shouldn't be a problem. – boardrider Dec 11 '18 at 23:44

2 Answers2

0

Its not exactly clear what you are trying to achive. I think you mean that you have some hosts which are provisioned via DHCP which is linked to a DNS server, thereafter it gets a bit confused.

Do you also have hosts considered to be in the same zone but which are not provisioned with DHCP which you want to add to the DNS zone?

If this is the case, and the other hosts are on the same subnet then the simplest option is to add static mappings in the DHCP server for these hosts

If the other hosts are on different subnets, then it's possible this configuration won't work and/or won't solve the problem - my first guess at a solutionn would be to use DNSmasq which can acts as a DNS forwarder proxy but can override specific records

Are all the the hosts in scope provisioned via DHCP but the linked DNS server is outwith your current DNS resolver provision?

Simply define the zone and DNS server to your existing DNS forwarder service

if it'd be possible, I'd continue to use *.local as the FQDN

It's probably possible but not advisable. This is the best time to change it.

symcbean
  • 21,009
  • 1
  • 31
  • 52
0

That being said you can certainly can set up DNS internally for it to resolve the locals hosts. Each time you add a host you will want to make sure their DNS entry is added to the server if you don't have a way for them to register themselves (active directory usually takes care of this in a Windows environment). I would advise against using .local since it may cause you pain down the road and has been advised against using for local networks. In AD environments you typically see a company with a site MyCompany.com with a public DNS server for all things web. Internally you would create a subdomain for your DNS server like office.MyCompany.com which you wouldn't actually publish to your public DNS and it would be valid internally only. Your hosts would end up looking like computer1.office.mycompany.com and since your internal DNS server only knows to serve the office subdomain it would look externally to resolve anything else. This is the more proper way to do it. If you wanted to keep some reference to .local you could use local.mycompany.com. for your resolvers you would set the hostname to just be computer1 and have it search your configured DNS server for local.mycompany.com

SteamerJ
  • 403
  • 2
  • 7