Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jennyjcuk
New Contributor

DNS - Unable to access internally hosted sites on Apple Devices

Hi All,

 

We have a few hosted sites and services on our Academic network, that needs to be accessed via our guest/BYOD wifi/vlan.  I've set up rules to the servers from the guest network, I have routed the DNS through to our DNS servers (this contains all host and reverse lookup records) on our Academic vlan. Windows devices work fine so I know the right things are in place, but anything Apple doesn't. We have tried flushing the DNS and cache on Apple devices, different browsers, still no luck. They can get to external websites fine, but just not internal.

 

Also most of our sites are externally facing, but the Apple products still can't get to them when connected to our BYOD network! 

 

Any help appreciated!

 

Thanks,

Jenny

9 REPLIES 9
Martin_Hancock
New Contributor II

Have you added in the DNS suffixes to the DHCP scope at all for your network?

Jennyjcuk

No - we have set up DHCP on the Fortigate for the guest network.  Can the DNS suffixes be added to the Fortigate?

SJFriedl
New Contributor II

Jennyjcuk wrote:

Can the DNS suffixes be added to the Fortigate?

Yes, though it might only be doable via the CLI.

 

config system dhcp server

  edit 2

     set domain "mydomain.local"

Jennyjcuk

Thank you this has worked a little... strangely now on my test iPhone I can get to one internal site but still not to all! Any other options that could be specified?  

SJFriedl
New Contributor II

Jennyjcuk wrote:

Any other options that could be specified?  

I've never been able to get my iPhone to show *any* domains in Settings --> Wifi --> (SSID) --> Configure DNS, though my phone does resolve names on my local network.  Not sure if it's my phone is not showing search domains it knows about, or something else.

Jennyjcuk
New Contributor

Apple devices! 

 

I am thinking it may have something do with that it is a guest network with no firewall authentication, so the firewall doesn't know who the users or devices are, despite rules to allow everything through. We have another wireless network set up with RADIUS authentication which users can get to the internal sites.  That also has DHCP set up on the Fortigate and DNS is routed to a server on the same subnet. 

 

Guest network DNS is routed to the RADIUS subnet. 

 

SJFriedl
New Contributor II

Jennyjcuk wrote:

I am thinking it may have something do with that it is a guest network with no authentication, so the firewall doesn't know who they users or devices are, despite rules to allow everything through.

But there's a firewall policy somewhere allowing the traffic: is NAT enabled *on the policy* (as opposed to a VIP)?

Jennyjcuk

Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.

 

NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.

SJFriedl
New Contributor II

Jennyjcuk wrote:

Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.

 

NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.

Ok, so the NAT question was me being confused with a different question (duh), though you probably don't want NAT on most policies.

 

In any case, I recently simplified my network *dramatically* by letting my Fortigate serve up DNS on all the default gateways, and it would internally forward the requests to the real servers. I was able to remove essentially all of my firewall policies allowing DNS from one to another, a HUGE simplification.

 

This is worth considering.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors