Skip to main content
Jennyjcuk
Jennyjcuk
New Member
May 4, 2021
Question

DNS - Unable to access internally hosted sites on Apple Devices

  • May 4, 2021
  • 2 replies
  • 8320 views

Hi All,

 

We have a few hosted sites and services on our Academic network, that needs to be accessed via our guest/BYOD wifi/vlan.  I've set up rules to the servers from the guest network, I have routed the DNS through to our DNS servers (this contains all host and reverse lookup records) on our Academic vlan. Windows devices work fine so I know the right things are in place, but anything Apple doesn't. We have tried flushing the DNS and cache on Apple devices, different browsers, still no luck. They can get to external websites fine, but just not internal.

 

Also most of our sites are externally facing, but the Apple products still can't get to them when connected to our BYOD network! 

 

Any help appreciated!

 

Thanks,

Jenny

    2 replies

    Martin_Hancock
    Martin_Hancock
    New Member
    May 4, 2021

    Have you added in the DNS suffixes to the DHCP scope at all for your network?

    Jennyjcuk
    JennyjcukAuthor
    New Member
    May 4, 2021

    No - we have set up DHCP on the Fortigate for the guest network.  Can the DNS suffixes be added to the Fortigate?

    SJFriedl
    SJFriedl
    New Member
    May 4, 2021

    Jennyjcuk wrote:

    Can the DNS suffixes be added to the Fortigate?

    Yes, though it might only be doable via the CLI.

     

    config system dhcp server

      edit 2

         set domain "mydomain.local"

    Jennyjcuk
    JennyjcukAuthor
    New Member
    May 5, 2021

    Apple devices! 

     

    I am thinking it may have something do with that it is a guest network with no firewall authentication, so the firewall doesn't know who the users or devices are, despite rules to allow everything through. We have another wireless network set up with RADIUS authentication which users can get to the internal sites.  That also has DHCP set up on the Fortigate and DNS is routed to a server on the same subnet. 

     

    Guest network DNS is routed to the RADIUS subnet. 

     

    SJFriedl
    SJFriedl
    New Member
    May 5, 2021

    Jennyjcuk wrote:

    I am thinking it may have something do with that it is a guest network with no authentication, so the firewall doesn't know who they users or devices are, despite rules to allow everything through.

    But there's a firewall policy somewhere allowing the traffic: is NAT enabled *on the policy* (as opposed to a VIP)?

    Jennyjcuk
    JennyjcukAuthor
    New Member
    May 5, 2021

    Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.

     

    NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.

    Terms & ConditionsAccessibility statement