Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SecurityPlus
Contributor II

VLAN DNS

Network with a FortiGate 60F running 6.4.4. with FortiSwitch 224E.

 

Created a VLAN 20. Was able to browse the internet but could not access a file server on the default LAN not part of a VLAN. Pinging by IP address worked fine but I could not ping via hostname. Appeared to be a DNS issue.

 

I found that if I set the VLAN DNS Server to Specify and listed the IP addresses of the Windows Server DNS servers, that the DNS issue was resolved.

 

Should it be necessary in this situation to set the DNS Server to Specify and list the IP addresses of the local DNS or do I have a setting wrong under Network / DNS or elsewhere?

1 Solution
sw2090

You need to also specify a dns for the FGT itself because it is needed for the FGT to be able to connect to the Fortiguard servers for getting License statuses and definition updates or check ratings.

 

Traffic from Clients will not be using the FGT system DNS unless you distribute these via dhcp. Even setting a dns forwarder would require the client to use the FGT interface ip as DNS Server.

 

So if you want to be able to resolve your hostnames from out of the vlan you need to make sure the clients can access a dns that can resolve these and that the clients use this dns!

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
4 REPLIES 4
lobstercreed
Valued Contributor

If you don't specify the DNS server it's using FortiGuard DNS, right?  Which obviously does not know about your local file server.

 

If I'm understanding the full situation, the issue is really that you need to specify the DNS server on your DHCP server settings for VLAN 20.  Then you wouldn't have to specify local DNS for the FortiGate itself, but by default the FortiGate hands itself out as DNS for DHCP clients, so....

SecurityPlus

Thanks lobstercreed. I did specify the DNS server IP addresses on your DHCP server settings for VLAN 20. Maybe something else that I overlooked?

sw2090

You need to also specify a dns for the FGT itself because it is needed for the FGT to be able to connect to the Fortiguard servers for getting License statuses and definition updates or check ratings.

 

Traffic from Clients will not be using the FGT system DNS unless you distribute these via dhcp. Even setting a dns forwarder would require the client to use the FGT interface ip as DNS Server.

 

So if you want to be able to resolve your hostnames from out of the vlan you need to make sure the clients can access a dns that can resolve these and that the clients use this dns!

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
SecurityPlus

Thanks sw2090. I will recheck the settings and configuration.

Labels
Top Kudoed Authors