- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Internal DNS Multiple Subnets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal DNS Multiple Subnets
Hi guys!
On our FortiWiFi unit, we're having trouble getting DNS resolving across two internal subnets. Internet works fine on the WiFi and the LAN, and we can access the LAN subnet from the WiFi and vice versa, but cannot resolve DNS.
I've tried searching through the Cookbook, watching videos, but can't find any clear guide as to how to set this up.
Our FortiWiFi is running firmware v5.6.2, and I've already enabled DNS Server from the Features.
Port1 (LAN) = 10.0.0.1/24 WiFi = 192.168.0.1/24 We're not running a corporate domain in our office, and have no on-prem servers (only small, no need). I've tried setting up the DNS Server a few different ways, but cannot get this to work. I know I can add entries in there manually, but that won't be practical to manage, as IP addresses and Hostnames will change. Can someone please assist? Kind regards,
Stuart Mitchell
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I believe there are two issues at play here.
1) Name resolution
2) DNS resolution
The reason people feel they are resolving names on the local subnet is due to Windows or other servers ability to resolve names on the local LAN via NetBIOS. The result is the same though the mechanism is far different. Though the DNS is set up correctly, as posted above, the Fortigate needs to be set up as a DNS server, either master (primary) or slave (secondary) and have access to a valid table with all local entries of all subnets installed within. If there is no table, the Fortigate has no information about any local hosts.
So back to the issue...inability to resolve hosts on a different subnet. Skip adding 'Same as system DNS' because Google has zero knowledge of your server situation. You need to run a local DNS server, either on the Fortigate or on Windows, or BIND. (or any appliance that's capable) Personally on my network, I run my primary DNS server on a Windows server, but hosts use my two NAS servers as their DNS servers. They are secondary servers retrieving their zone data from the primary Windows server. I make one zone change and it gets propagated through to both secondary boxes and the Windows box isn't too heavily taxed.
That being said, what is your primary DNS server?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to bridge the wifi and LAN (if they are both work networks) into a software switch that way they are the same subnet). Without a true DNS server you are relying on broadcast traffic for resolution. Two different subnets wont broadcast to one another so you need to bridge them so that it is one subnet and one broadcast domain.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mike,
For argument's sake, let's pretend that the networks cannot be on the same subnet, but need to be able to communicate with one another (including DNS resolution).
Are you saying there's no way to do this on a FortiGate without changing the subnet mask? For such a feature-filled device, I find that hard to believe, but I guess I'll see what other people come back with.
Kind regards,
Stuart Mitchell
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What DNS server IPs are you handing over DHCP? A public one, like 8.8.8.8, or internal one somewhere inside of your network? In either case, as long as the client machine has reachability to the DNS server it should work fine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
The FortiWiFi system DNS is set to 8.8.8.8
The LAN DHCP is set to Interface IP for DNS server (10.0.0.1)
The WiFi DHCP is set to Interface IP for DNS server (192.168.0.1)
Under DNS Server, I've configured both interfaces (LAN & WiFi) to be Recursive
Should I be changing my WiFi DHCP to give out 10.0.0.1 as the DNS server?
Thanks in advance,
Stuart Mitchell
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your DNS server? The Fortigate or another unit?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The FortiGate, though not sure if I've set it up properly, hence why I'm here :)
Again, we don't have a corporate domain here with any servers, just a simple office environment.
Kind regards,
Stuart Mitchell
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm actually not sure how "Same as Interface IP" option would work. But if you want to let all devices to use 8.8.8.8 as DNS, you should set "Same as System DNS". Then make sure each device can ping 8.8.8.8.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And I don't feel any necessity you need to make your FortiGate as a DNS server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Toshi
So you're saying if I set all our internal subnets' DNS to 8.8.8.8, devices on one subnet will be able to resolve hostnames on a separate local subnet?
How would that work?
Just to reiterate, we have two local subnets... Our LAN subnet of 10.0.0.0/24, and our WiFi (on a different interface) on 192.168.0.0/24. Currently, I've got routing configured correctly, so I can access either subnet from either subnet, but from either side, I cannot resolve hostnames on the other side (10.0.0.0/24 hosts cannot resolve hostnames on the 192.168.0.0/24 subnet, and vice versa).
Related Posts
Labels
-
FortiGate
6,449 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.