Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Stuart_Mitchell
New Contributor

Internal DNS Multiple Subnets

Hi guys!

 

On our FortiWiFi unit, we're having trouble getting DNS resolving across two internal subnets. Internet works fine on the WiFi and the LAN, and we can access the LAN subnet from the WiFi and vice versa, but cannot resolve DNS.

 

I've tried searching through the Cookbook, watching videos, but can't find any clear guide as to how to set this up.

 

Our FortiWiFi is running firmware v5.6.2, and I've already enabled DNS Server from the Features.

 

Port1 (LAN) = 10.0.0.1/24 WiFi = 192.168.0.1/24 We're not running a corporate domain in our office, and have no on-prem servers (only small, no need). I've tried setting up the DNS Server a few different ways, but cannot get this to work. I know I can add entries in there manually, but that won't be practical to manage, as IP addresses and Hostnames will change. Can someone please assist? Kind regards,

Stuart Mitchell

1 Solution
rwpatterson
Valued Contributor III

OK, I believe there are two issues at play here.

1) Name resolution

2) DNS resolution

 

The reason people feel they are resolving names on the local subnet is due to Windows or other servers ability to resolve names on the local LAN via NetBIOS. The result is the same though the mechanism is far different. Though the DNS is set up correctly, as posted above, the Fortigate needs to be set up as a DNS server, either master (primary) or slave (secondary) and have access to a valid table with all local entries of all subnets installed within. If there is no table, the Fortigate has no information about any local hosts.

 

So back to the issue...inability to resolve hosts on a different subnet. Skip adding 'Same as system DNS' because Google has zero knowledge of your server situation. You need to run a local DNS server, either on the Fortigate or on Windows, or BIND. (or any appliance that's capable) Personally on my network, I run my primary DNS server on a Windows server, but hosts use my two NAS servers as their DNS servers. They are secondary servers retrieving their zone data from the primary Windows server. I make one zone change and it gets propagated through to both secondary boxes and the Windows box isn't too heavily taxed.

 

That being said, what is your primary DNS server?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
17 REPLIES 17
Toshi_Esumi
Esteemed Contributor III

DNS server system on the internet manage only names bound to domains publicly authorized, and resolve those names to each public IP address. It never resolve to a private IP. Local devices can talk each other with their private IPs through Layer 3 devices(routers) in your case your Fortigate.

Stuart_Mitchell

I'm not sure you understand what I'm trying to achieve. This has nothing to do with external DNS, we're just trying to resolve local hostnames across two different local subnets, which are configured on two different interfaces of the same FortiGate.

 

== Office FortiGate == Port1 - 10.0.0.1/24 WiFi Interface - 192.168.0.1/24

WAN - Irrelevant Routing works fine, so devices on our LAN (10.0.0.0/24) can talk to devices on the WiFi (192.168.0.0/24) and vice versa. All devices on the WiFi (192.168.0.0/24) can resolve each others' hostnames, and all devices on the LAN (10.0.0.0/24) can resolve each others' hostnames.

 

THE ISSUE is that devices on the LAN (10.0.0.0/24) cannot resolve the hostnames of devices on the WiFi (192.168.0.0/24), nor can devices on the WiFi (192.168.0.0/24) resolve hostnames of devices on the LAN (10.0.0.0/24).

tanr
Valued Contributor II

I have a somewhat similar setup (though WiFi is through FortiAP) and am using the FortiGate (5.4.5) to provide some simple local DNS, which works fine.  If you were to set yours up in the way I have mine, it would be something like:

 

[ol]
  • Port1 interface (LAN1, 10.0.0.1) specifies DNS as "Same as Interface IP"
  • Whatever interface the WiFi is on (192.168.0.1) also specifies DNS "Same as Interface IP".  
  • Under Network > DNS specify 8.8.8.8 or whatever public DNS server you want
  • Under Network > DNS Servers > DNS Service on Interface add dns servers for both interfaces, set as Recursive
  • Under Network > DNS Servers > DNS Database create your needed DNS Zone elements, of type Master, specifying base domain names, and listing out (possibly multiple) A records to map URLs to your local IPs.[/ol]

    For example, my own setup has a DNZ zone something like:

     

    Type: Master

    View: Shadow

    DNZ Zone: flubber.com

    Domain Name: flubber.com

    Hostname of Primary Master: flubber-dns

    Contact Email Address: admin@flubber.com

    TTL: 86400

    Authoritative: Disable

    --- DNS Entries ---

    Type       Details

    A            mmm.flubber.com -> IP.IP.IP.IP

    A            auth.local.flubber.com -> IP.IP.IP.IP

     

    I can use a web browser from one subnet to browse to mmm.flubber.com in a different subnet successfully.

     

    A question.  How are you determining that the names aren't being resolved from the other subnets?  Does ipconfig show the correct Fortigate DNS IP on those clients? Is it possible you're simply getting blocked by security policies between the subnets?  What does tracert from from one subnet to a url on another subnet show?  I ask because I blocked myself this way the first time I set up the dns.

  • boma23
    New Contributor

    Digging up an old thread. I have identical issue to OP. 2 different VLANs and internal subnets, which have routing between them.

    Both have DNS server run from the Fortigate interface IP, although have specified the DNS server in DHCP to match the gateway, to be sure.

    I can resolve local DNS in each VLAN, and ping between them, but not resolve addresses in one subnet from the other.  Entering the IP in a browser takes me to the page hosted on the opposing VLAN/subnet, but entering the A record address name does not.  Clients are picking up the correct DNS server for the VLAN / subnet they have joined.

     

    My DNS in each is setup identically to various other VLANs, which all work perfectly.

     

    Worth noting the WiFI is handled by UniFi  L2 switches, with the Forti as our L3 router/Firewall. To add, I have also tried setting DNS server of the second routed VLAN for the clients, but this doesn't work either.

    AndrÃ_K
    New Contributor II

    same issue here, I even tried to make a new post about it.. https://forum.fortinet.com/tm.aspx?m=199385

    Is it really impossible?  - there must be lots of people experiencing this...

    rwpatterson
    Valued Contributor III

    OK, I believe there are two issues at play here.

    1) Name resolution

    2) DNS resolution

     

    The reason people feel they are resolving names on the local subnet is due to Windows or other servers ability to resolve names on the local LAN via NetBIOS. The result is the same though the mechanism is far different. Though the DNS is set up correctly, as posted above, the Fortigate needs to be set up as a DNS server, either master (primary) or slave (secondary) and have access to a valid table with all local entries of all subnets installed within. If there is no table, the Fortigate has no information about any local hosts.

     

    So back to the issue...inability to resolve hosts on a different subnet. Skip adding 'Same as system DNS' because Google has zero knowledge of your server situation. You need to run a local DNS server, either on the Fortigate or on Windows, or BIND. (or any appliance that's capable) Personally on my network, I run my primary DNS server on a Windows server, but hosts use my two NAS servers as their DNS servers. They are secondary servers retrieving their zone data from the primary Windows server. I make one zone change and it gets propagated through to both secondary boxes and the Windows box isn't too heavily taxed.

     

    That being said, what is your primary DNS server?

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    AndrÃ_K

    @rwpatterson

    Thank you.

    The FG does not have any significant DNS config:

     

    my workstation has no better luck with 192.168.1.1 (FG) added as DNS source

     

     

    I could ealily install BIND DNS on a server in this subnet - if that would help.. but will the RPI from another subnet register itself on that?

     

    rwpatterson
    Valued Contributor III

    Go to "System>Feature Visibility" and add "DNS Database". Under "DNS", "DNS Servers" should appear. Once that's added, add a host and check to see if resolution works. When it does, add the rest.

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    Labels
    Top Kudoed Authors