Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

dns translation problem

Hi, I have a fortigate 310 configured with an internal interface (port 1) , an external interface (port 10) and a dmz interface (port2). I want my web server at the dmz network to be accesible form the outside network via nat I created a virtual IP as follow edit " web-outside" set extip 192.168.1.4 set extintf " port10" set mappedip 10.7.1.4 I also configure a dns traslation as follow edit 1 set dst 192.168.1.4 set netmask 255.255.255.255 set src 10.7.1.4 When a user from the outside network ask for the name of my web site the DNS server at the dmz network translate the internal address 10.7.1.4 to the mapped address 192.168.1.4. That is OK, But when a user from the internal network ask for the name of my web site the DNS server should reply with the actual IP of the web server, that is 10.7.1.4. The problem is that the DNS is always replying with the virtual address (192.168.1.4) when the query comes form the internal network. Please, I would apreciate any help Thanks in advance
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

Hi, and welcome to the forums. This behavior is by design. For the DNS in the DMZ, both queries - from the internet and from the internal LAN - come from " outside" . The DNS translation feature grabs DNS replies which go to the " outside" but it cannot distinguish between different " outside" interfaces. Both are. One solution is to change the design of your network. Move the DNS into your internal LAN. DNS queries from the internal LAN will not be altered, queries from WAN will be translated. The DNS translation feature is built for this scenario, and only this one. A different approach would be split DNS, with a (full) DNS inside and a (slim) DNS in the DMZ. Internal users use the internal DNS, WWW uses the DMZ DNS. This layout is nice because you can put only those few DNS entries on the DMZ DNS which need to be seen worldwide, i.e. the DMZ server names.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Thanks Ede I' m migrating from a Cisco PIX 515 to a Fortigate 310. I really thought that the Fortigate would have the same characteristics as the PIX regard to the DNS translation . Ultimately the solution passes for having two DNS servers, one for queries from the external network and one for queries from the internal network. Grateful for your help regards
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors