Skip to main content
danyal
danyal
Explorer
February 17, 2025
Solved

Fortigate does not resolve local/private FQDN

  • February 17, 2025
  • 1 reply
  • 4333 views

Hello,

 

I have made a deny policy on the Fortigate 7.4.7 and assigned some FQDNs as source on LAN to WAN communication. However, I realized it doesn't work. When I tried the policy with the IP addresses, it worked as it should. Then, I executed below command where "ABC.Domain.com" is our internal network host's FQDN.

 

 

 

exe ping ABC.Domain.com

 

 

 

Result:

 

 

 

Unable to resolve hostname.

 

 

 

We are using the Fortigate DNS servers as below:

 

 

 

#show system dns config system dns     set primary 96.45.45.45     set secondary 96.45.46.46     set protocol dot     set server-hostname "globalsdns.fortinet.net"     set dns-cache-limit 300 end

 

 

 

 Also:

 

 

 

# show system dns-server  config system dns-server     edit "lan"         set mode forward-only         set dnsfilter-profile "default"     next end

 

 

 

 

FYI, I'm able to ping the hostnames in my endpoints but not in command prompt inside Fortigate GUI.

 

I'm not sure if any other information required. So please let me know.

 

To recap the issue, I can't set a policy on internal FQDN.

 

Thanks in advance.

Best answer by dingjerry_FTNT

Hi @danyal ,

 

You may read this article for a try:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-database-with-FortiGate-as-a-slave-to-a/ta-p/192942

1 reply

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
February 17, 2025

Hi @danyal ,

 

If the FQDNs are local and private, most likely any public DNS servers do not know how to resolve them.

 

Please use your local DNS server on FGT instead.

danyal
danyalAuthor
Explorer
February 18, 2025

Hi @dingjerry_FTNT,

I understand that public DNS servers are not able to resolve local FQDNs, however, I couldn't find a document to show me how to use the local DNS server while keeping those FGT DNS servers for external URLs.

Also, I'm looking for a solution to make minimum changes to the firewall. I have already seen procedures that require me to add a DNS zone, then set FTG DNS server on recursive mode and finally apply some other changes on the FTG LAN port.
FYI, I have FSSO agent running on my server. I'm new to Fortigate, so I'm not sure if there is a way to use it to identify the hosts and can apply that policy through this.

dingjerry_FTNT
Staff
dingjerry_FTNTAnswer
Staff
February 18, 2025

Hi @danyal ,

 

You may read this article for a try:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-database-with-FortiGate-as-a-slave-to-a/ta-p/192942

    Terms & ConditionsAccessibility statement