Hi guys!
On our FortiWiFi unit, we're having trouble getting DNS resolving across two internal subnets. Internet works fine on the WiFi and the LAN, and we can access the LAN subnet from the WiFi and vice versa, but cannot resolve DNS.
I've tried searching through the Cookbook, watching videos, but can't find any clear guide as to how to set this up.
Our FortiWiFi is running firmware v5.6.2, and I've already enabled DNS Server from the Features.
Port1 (LAN) = 10.0.0.1/24 WiFi = 192.168.0.1/24 We're not running a corporate domain in our office, and have no on-prem servers (only small, no need). I've tried setting up the DNS Server a few different ways, but cannot get this to work. I know I can add entries in there manually, but that won't be practical to manage, as IP addresses and Hostnames will change. Can someone please assist? Kind regards,
Stuart Mitchell
Solved! Go to Solution.
OK, I believe there are two issues at play here.
1) Name resolution
2) DNS resolution
The reason people feel they are resolving names on the local subnet is due to Windows or other servers ability to resolve names on the local LAN via NetBIOS. The result is the same though the mechanism is far different. Though the DNS is set up correctly, as posted above, the Fortigate needs to be set up as a DNS server, either master (primary) or slave (secondary) and have access to a valid table with all local entries of all subnets installed within. If there is no table, the Fortigate has no information about any local hosts.
So back to the issue...inability to resolve hosts on a different subnet. Skip adding 'Same as system DNS' because Google has zero knowledge of your server situation. You need to run a local DNS server, either on the Fortigate or on Windows, or BIND. (or any appliance that's capable) Personally on my network, I run my primary DNS server on a Windows server, but hosts use my two NAS servers as their DNS servers. They are secondary servers retrieving their zone data from the primary Windows server. I make one zone change and it gets propagated through to both secondary boxes and the Windows box isn't too heavily taxed.
That being said, what is your primary DNS server?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
DNS server system on the internet manage only names bound to domains publicly authorized, and resolve those names to each public IP address. It never resolve to a private IP. Local devices can talk each other with their private IPs through Layer 3 devices(routers) in your case your Fortigate.
I'm not sure you understand what I'm trying to achieve. This has nothing to do with external DNS, we're just trying to resolve local hostnames across two different local subnets, which are configured on two different interfaces of the same FortiGate.
== Office FortiGate == Port1 - 10.0.0.1/24 WiFi Interface - 192.168.0.1/24
WAN - Irrelevant Routing works fine, so devices on our LAN (10.0.0.0/24) can talk to devices on the WiFi (192.168.0.0/24) and vice versa. All devices on the WiFi (192.168.0.0/24) can resolve each others' hostnames, and all devices on the LAN (10.0.0.0/24) can resolve each others' hostnames.
THE ISSUE is that devices on the LAN (10.0.0.0/24) cannot resolve the hostnames of devices on the WiFi (192.168.0.0/24), nor can devices on the WiFi (192.168.0.0/24) resolve hostnames of devices on the LAN (10.0.0.0/24).
I have a somewhat similar setup (though WiFi is through FortiAP) and am using the FortiGate (5.4.5) to provide some simple local DNS, which works fine. If you were to set yours up in the way I have mine, it would be something like:
[ol]
For example, my own setup has a DNZ zone something like:
Type: Master
View: Shadow
DNZ Zone: flubber.com
Domain Name: flubber.com
Hostname of Primary Master: flubber-dns
Contact Email Address: admin@flubber.com
TTL: 86400
Authoritative: Disable
--- DNS Entries ---
Type Details
A mmm.flubber.com -> IP.IP.IP.IP
A auth.local.flubber.com -> IP.IP.IP.IP
I can use a web browser from one subnet to browse to mmm.flubber.com in a different subnet successfully.
A question. How are you determining that the names aren't being resolved from the other subnets? Does ipconfig show the correct Fortigate DNS IP on those clients? Is it possible you're simply getting blocked by security policies between the subnets? What does tracert from from one subnet to a url on another subnet show? I ask because I blocked myself this way the first time I set up the dns.
Digging up an old thread. I have identical issue to OP. 2 different VLANs and internal subnets, which have routing between them.
Both have DNS server run from the Fortigate interface IP, although have specified the DNS server in DHCP to match the gateway, to be sure.
I can resolve local DNS in each VLAN, and ping between them, but not resolve addresses in one subnet from the other. Entering the IP in a browser takes me to the page hosted on the opposing VLAN/subnet, but entering the A record address name does not. Clients are picking up the correct DNS server for the VLAN / subnet they have joined.
My DNS in each is setup identically to various other VLANs, which all work perfectly.
Worth noting the WiFI is handled by UniFi L2 switches, with the Forti as our L3 router/Firewall. To add, I have also tried setting DNS server of the second routed VLAN for the clients, but this doesn't work either.
same issue here, I even tried to make a new post about it.. https://forum.fortinet.com/tm.aspx?m=199385
Is it really impossible? - there must be lots of people experiencing this...
OK, I believe there are two issues at play here.
1) Name resolution
2) DNS resolution
The reason people feel they are resolving names on the local subnet is due to Windows or other servers ability to resolve names on the local LAN via NetBIOS. The result is the same though the mechanism is far different. Though the DNS is set up correctly, as posted above, the Fortigate needs to be set up as a DNS server, either master (primary) or slave (secondary) and have access to a valid table with all local entries of all subnets installed within. If there is no table, the Fortigate has no information about any local hosts.
So back to the issue...inability to resolve hosts on a different subnet. Skip adding 'Same as system DNS' because Google has zero knowledge of your server situation. You need to run a local DNS server, either on the Fortigate or on Windows, or BIND. (or any appliance that's capable) Personally on my network, I run my primary DNS server on a Windows server, but hosts use my two NAS servers as their DNS servers. They are secondary servers retrieving their zone data from the primary Windows server. I make one zone change and it gets propagated through to both secondary boxes and the Windows box isn't too heavily taxed.
That being said, what is your primary DNS server?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
@rwpatterson
Thank you.
The FG does not have any significant DNS config:
my workstation has no better luck with 192.168.1.1 (FG) added as DNS source
I could ealily install BIND DNS on a server in this subnet - if that would help.. but will the RPI from another subnet register itself on that?
Go to "System>Feature Visibility" and add "DNS Database". Under "DNS", "DNS Servers" should appear. Once that's added, add a host and check to see if resolution works. When it does, add the rest.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1741 | |
1109 | |
753 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.