Hi guys!
On our FortiWiFi unit, we're having trouble getting DNS resolving across two internal subnets. Internet works fine on the WiFi and the LAN, and we can access the LAN subnet from the WiFi and vice versa, but cannot resolve DNS.
I've tried searching through the Cookbook, watching videos, but can't find any clear guide as to how to set this up.
Our FortiWiFi is running firmware v5.6.2, and I've already enabled DNS Server from the Features.
Port1 (LAN) = 10.0.0.1/24 WiFi = 192.168.0.1/24 We're not running a corporate domain in our office, and have no on-prem servers (only small, no need). I've tried setting up the DNS Server a few different ways, but cannot get this to work. I know I can add entries in there manually, but that won't be practical to manage, as IP addresses and Hostnames will change. Can someone please assist? Kind regards,
Stuart Mitchell
Solved! Go to Solution.
OK, I believe there are two issues at play here.
1) Name resolution
2) DNS resolution
The reason people feel they are resolving names on the local subnet is due to Windows or other servers ability to resolve names on the local LAN via NetBIOS. The result is the same though the mechanism is far different. Though the DNS is set up correctly, as posted above, the Fortigate needs to be set up as a DNS server, either master (primary) or slave (secondary) and have access to a valid table with all local entries of all subnets installed within. If there is no table, the Fortigate has no information about any local hosts.
So back to the issue...inability to resolve hosts on a different subnet. Skip adding 'Same as system DNS' because Google has zero knowledge of your server situation. You need to run a local DNS server, either on the Fortigate or on Windows, or BIND. (or any appliance that's capable) Personally on my network, I run my primary DNS server on a Windows server, but hosts use my two NAS servers as their DNS servers. They are secondary servers retrieving their zone data from the primary Windows server. I make one zone change and it gets propagated through to both secondary boxes and the Windows box isn't too heavily taxed.
That being said, what is your primary DNS server?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
You need to bridge the wifi and LAN (if they are both work networks) into a software switch that way they are the same subnet). Without a true DNS server you are relying on broadcast traffic for resolution. Two different subnets wont broadcast to one another so you need to bridge them so that it is one subnet and one broadcast domain.
Mike Pruett
Hi Mike,
For argument's sake, let's pretend that the networks cannot be on the same subnet, but need to be able to communicate with one another (including DNS resolution).
Are you saying there's no way to do this on a FortiGate without changing the subnet mask? For such a feature-filled device, I find that hard to believe, but I guess I'll see what other people come back with.
Kind regards,
Stuart Mitchell
What DNS server IPs are you handing over DHCP? A public one, like 8.8.8.8, or internal one somewhere inside of your network? In either case, as long as the client machine has reachability to the DNS server it should work fine.
Hi Toshi,
The FortiWiFi system DNS is set to 8.8.8.8
The LAN DHCP is set to Interface IP for DNS server (10.0.0.1)
The WiFi DHCP is set to Interface IP for DNS server (192.168.0.1)
Under DNS Server, I've configured both interfaces (LAN & WiFi) to be Recursive
Should I be changing my WiFi DHCP to give out 10.0.0.1 as the DNS server?
Thanks in advance,
Stuart Mitchell
What is your DNS server? The Fortigate or another unit?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The FortiGate, though not sure if I've set it up properly, hence why I'm here :)
Again, we don't have a corporate domain here with any servers, just a simple office environment.
Kind regards,
Stuart Mitchell
I'm actually not sure how "Same as Interface IP" option would work. But if you want to let all devices to use 8.8.8.8 as DNS, you should set "Same as System DNS". Then make sure each device can ping 8.8.8.8.
And I don't feel any necessity you need to make your FortiGate as a DNS server.
@Toshi
So you're saying if I set all our internal subnets' DNS to 8.8.8.8, devices on one subnet will be able to resolve hostnames on a separate local subnet?
How would that work?
Just to reiterate, we have two local subnets... Our LAN subnet of 10.0.0.0/24, and our WiFi (on a different interface) on 192.168.0.0/24. Currently, I've got routing configured correctly, so I can access either subnet from either subnet, but from either side, I cannot resolve hostnames on the other side (10.0.0.0/24 hosts cannot resolve hostnames on the 192.168.0.0/24 subnet, and vice versa).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.