Hello, I have configured in FortiGate with DNS server.
In this same FortiGate I have configured an IPSEC tunnel with a client, which has a DNS server and the clients of my network reach this DNS server through a firewall policy with a specific IP with NAT.
The FortiGate DNS forwards to the client's DNS server, but does not reach it because the IPSEC tunnel is configured with a firewall rule to reach it with a specific IP with NAT and this firewall rule does not apply to the FortiGate DNS.
How can I make the DNS server of the Forti be able to query the DNS of this client?
So basically you want the DNS server of the FGT to forward the request to an external DNS server that is reachable through IPSEC but since the other node has a firewall policy that allows the requests only from a specific subnet this requests get dropped.
config system dns-database
edit "eb.lab"
set source-ip <-- try to use the GW of the hosts from the allowed subnet
The problem is that the tunnel is accessed with a range of IP's configured in a firewall policy by configuring NAT. If you are not within this range of these IPS you do not reach the client's DNS.
The problem is that the IP of the forti where the DNS is, this policy does not apply to the IP of the forti where the DNS is.
If NAT is configured on the same FGT that has the DNS server configured you can set that IP as the source of DNS database. If NAT is configured on the other side and this FGT doesn't have an IP that is allowed on that policy it may not be possible to achieve this without changing the firewall policy on the other node.
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.