Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danyal
New Contributor II

Created on ‎02-17-2025 11:07 AM

Fortigate does not resolve local/private FQDN

Hello,

 

I have made a deny policy on the Fortigate 7.4.7 and assigned some FQDNs as source on LAN to WAN communication. However, I realized it doesn't work. When I tried the policy with the IP addresses, it worked as it should. Then, I executed below command where "ABC.Domain.com" is our internal network host's FQDN.

 

 

 

exe ping ABC.Domain.com

 

 

 

Result:

 

 

 

Unable to resolve hostname.

 

 

 

We are using the Fortigate DNS servers as below:

 

 

 

#show system dns
config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol dot
    set server-hostname "globalsdns.fortinet.net"
    set dns-cache-limit 300
end

 

 

 

 Also:

 

 

 

# show system dns-server 
config system dns-server
    edit "lan"
        set mode forward-only
        set dnsfilter-profile "default"
    next
end

 

 

 

 

FYI, I'm able to ping the hostnames in my endpoints but not in command prompt inside Fortigate GUI.

 

I'm not sure if any other information required. So please let me know.

 

To recap the issue, I can't set a policy on internal FQDN.

 

Thanks in advance.

Labels:
268
0 Kudos
1 Solution
3 REPLIES 3
dingjerry_FTNT
Staff
Staff

Created on ‎02-17-2025 02:05 PM

Hi @danyal ,

 

If the FQDNs are local and private, most likely any public DNS servers do not know how to resolve them.

 

Please use your local DNS server on FGT instead.

Regards,

Jerry
247
0 Kudos
danyal
New Contributor II
In response to dingjerry_FTNT

Created on ‎02-18-2025 08:06 AM

Hi @dingjerry_FTNT,

I understand that public DNS servers are not able to resolve local FQDNs, however, I couldn't find a document to show me how to use the local DNS server while keeping those FGT DNS servers for external URLs.

Also, I'm looking for a solution to make minimum changes to the firewall. I have already seen procedures that require me to add a DNS zone, then set FTG DNS server on recursive mode and finally apply some other changes on the FTG LAN port.
FYI, I have FSSO agent running on my server. I'm new to Fortigate, so I'm not sure if there is a way to use it to identify the hosts and can apply that policy through this.

213
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to danyal

Created on ‎02-18-2025 09:27 AM

Hi @danyal ,

 

You may read this article for a try:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-database-with-FortiGate-as-a-slave-to-...

Regards,

Jerry
207
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.