Set and assign FQDN to public IP.

igorfk · ‎08-21-2024

I have configured a Public IP to access a server in my Lan (VIP mapping to internal server), it's working fine: from my home I can access the server, through the internet, by the Public IP. Now I want to access that same Public IP by a hostname (DNS), how do I achieve that?

In the LAN there are DNS servers (BIND in split-horizon internal_IPS/public_IPS) which, when used by the previous firewalls, did that resolutions ok, but when used with Fortigate FG100F, v7.2.8, in "Network" -> "DNS" -> "DNS servers" -> "Specify" they just do internal resolution, including to the internet(!), what I mean: From the internet the hostnames are resolved to the internal_IPS zones from BIND servers.

I know this must be a super simple question but I only find information about setting internal DNS for internal queries in a Lan. I followed the "technical tip" https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FQDN-based-VIPs-from-GUI/ta-p/19... but to no avail, I just ended with an "unresolved FQDN" citing a FQDN that in the previous solution (BIND is doing his job) worked well.

I don't mind to retire those BINDs, just need to know how to do that name resolution.

sw2090 · ‎08-21-2024

you could add a recursive DNS forwarder to the interface (DNS Service on Interface)

then create a DNS Zone and add an A record for your server. Then DNS queries coming in on the interface will be checked by the FGT and it will resolve the fqdn from the zone. Other DNS queries that do not match that zone will be forwarded.

Of course that would require your client to use the FGT as DNS Servers then.

You could also retire bind with that but then you would have to migrate the zones to your FGT.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

igorfk · ‎08-22-2024

Thank you for your input. The interface in the "DNS Service on Interface" should be the internet facing one right? that DNS Zone would be of what "type" and "view"? Should it be "primary" and "public"?

igorfk · ‎08-22-2024

Got it working with a primary/shadow new DNS Zone, guess this is the way, right?

Now I'll see how to configure the usual internal DNS...

Thank you!

sw2090 · ‎08-21-2024

Since it is a public ip - alas if its also a static one - and you happen to have some Domain you could create a DNS entry at your Provider for it. THat would be publicy resolvable worldwide then ;)

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

igorfk · ‎08-22-2024

There is some way I could use my BIND servers and let them do their split-horizon job?

sw2090 · ‎08-22-2024

the DNS Forwarder must be on the interface your client is connected to.

The Zone would be primary.

If still want to use your Bind then either create a recursive forwarder with out zone but with bind server(s) as resolver. Or use the Binds as the Fortigate's system dns and then just forward to system dns.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Set and assign FQDN to public IP.

Nominate a Forum Post for Knowledge Article Creation