Skip to main content
SoonerDaddio
SoonerDaddio
Explorer
June 6, 2025
Solved

Fortigate internal DNS server not resolving internal host names

  • June 6, 2025
  • 2 replies
  • 5604 views

I have a FortiGate 70F running 7.4.7 and I'm trying to set up a DNS server on it to resolve some internal server host names.  The system DNS is pointing to the FortGuard DNS servers.  I am using FortiSwitches connected via FortiLink for clients on multiple VLANs. 

 

I enabled DNS Servers in Feature Visibility to add that option and noticed that it already had an entry for the fortilink interface set to Forward to System DNS, and a DNS Database entry for fortiswitch set to Primary/Shadow that has 5 entries, one for each of my FortiSwitches.  I did not make any of these, so this is apparently done automatically when you install a FortiSwitch. 

 

I am trying to get clients on the Lab VLAN to resolve host names for 3 servers in our environment.  I went through the steps to add a new DNS Database using Primary/Shadow and added 'A' and 'PTR' records and a domain name for the 3 servers on our internal network.  I saved this and then added a 'DNS Service on Interface' as recursive for the Lab VLAN interface (which is configured on the Fortilink switches) that the clients are on, and added the new internal domain name as a local domain name in the system DNS settings.  I then went to the interface for the Lab VLAN and changed the DNS server from 'Same as System DNS' to 'Same as Interface IP'.  

 

When testing from one of the client pcs on the Lab VLAN, it can ping those servers by IP address but if I try to ping it by the host name I get "Ping request could not find host newhost.myinternalnet.com. Please check the name and try again".  Nslookup returns the following - 

Server: dns1.fortiguard.net
Address: 96.45.45.45

*** dns1.fortiguard.net can't find newhost.myinternalnet.com: Non-existent domain

 

It appears to still just be using the FortiGuard DNS and not using my new DNS entries at all, so I am wondering if having that default entry for the fortilink switches is somehow overriding the Lab VLAN sub-interface under the fortilink interface?  I also tried changing that default entry for the DNS Service fortilink interface to recursive instead of system DNS servers and had the same result.

 

Thanks in advance for any help on what I've missed or done wrong!

 

Best answer by ebilcari

Maybe the host needed a flushdns before the tests. Regarding the last request, you should configure the DNS suffix, the details are covered in this article.

2 replies

kcheng
Staff & Editor
kcheng
Staff & Editor
June 7, 2025

Hi @SoonerDaddio ,

 

How did the clients on your Lab VLAN gets it's IP? If it's via DHCP, you want to ensure that the VLAN settings have DNS set to interface IP, but not follow system settings:

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/747452/basic-configuration

    SoonerDaddio
    SoonerDaddioAuthor
    Explorer
    June 9, 2025

    Yes, as I mentioned above, I changed the VLAN interface to 'Same as Interface IP' but it still does not resolve.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    June 9, 2025

    can you share your dns server settings/entries ?

    "jack of all trades, master of none"
    ebilcari
    Staff
    ebilcari
    Staff
    June 7, 2025

    The configuration in FGT should look like this:

    FGT dns.PNG

     

    You can also check with the nslookup tool in the end host to point the request directly to the FGT interface:

    C:\Users\eb>nslookup test.eb.lab gw.eb.eu
    Server: gw.eb.eu
    Address: 10.0.0.1

    Non-authoritative answer:
    DNS request timed out.
    timeout was 2 seconds.
    Name: test.eb.lab
    Address: 123.123.123.1

    Emirjon
      SoonerDaddio
      SoonerDaddioAuthor
      Explorer
      June 9, 2025

      Well, now I'm really confused...  I came in this morning and tested it again by nslookup and ping, and both are now working...  Now, when I do an nslookup it shows that it is using the interface IP instead of the system DNS, even tho I had it set to that last week also.

      Nslookup now shows this - 

      nslookup lab-server.labvlan.com
      Server: UnKnown
      Address: 192.168.1.1

      Non-authoritative answer:
      Name: lab-server.labvlan.com
      Address: 10.1.1.12

       

      - instead of this - 

      Server: dns1.fortiguard.net
      Address: 96.45.45.45

      *** dns1.fortiguard.net can't find newhost.myinternalnet.com: Non-existent domain

       

      - and I am able to ping the server by DNS name.  Only thing left is that I have to use the full dns name (lab-server.labvlan.com), and I would like to use the simple name (lab-server) without the domain.  I added 'labvlan.com' as a local domain under the system DNS settings, but is there somewhere else I need to have that local domain name set as well?

       

      Thanks!

        ebilcari
        Staff
        ebilcariAnswer
        Staff
        June 9, 2025

        Maybe the host needed a flushdns before the tests. Regarding the last request, you should configure the DNS suffix, the details are covered in this article.

        Emirjon
          Terms & ConditionsAccessibility statement