Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AndrÃ_K
New Contributor

local DNS across subnets ? - how can I make FG share all known .local adresses ?

My internal network 192.168.1.x, with FG being a DHCP/DNS server.. it has a Linux device registering as pi4.local  - all fine  - I can ping/resolve pi4.local

 

Then there is a PoE lan, with 192.168.2.x - this too  provides DHCP/DNS,  - except if a pi3.local registers there, then I can lot ping pi3.local from the internal net.  (rules allow full access)

 

The problem is that local DNS lookup for "internal" does not include devices registered in the other network.

 

How can I make FG's DNS provide all *.local adresses  - across networks?

 

7 REPLIES 7
AndrÃ_K
New Contributor

I did this:

 

 

AndrÃ_K

and then this:

 

I think it looks good, but I must have forgotten something, as pinging lys.local still does not work (yes, pinging IP does)

rwpatterson
Valued Contributor III

You need to manually add the host-IP relations in the table at the bottom. I don't believe the 40gate will automatically populate the entries. Please correct me if I am wrong there.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

AndrÃ_K

I did, please see the second post (could only post one screenshot at a time) 

rwpatterson
Valued Contributor III

Change the option to recursive. Forwarding to system DNS will use the outside DNS servers and won't fulfill your goal.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

AndrÃ_K

hmm, close, but no cigar.  It does not seem to work. My ethernet connection uses FG as primary DNS server, yet fail to get lys.local resolved.

 

the "..leaked.." text makes me wonder if there could be some sort of feature that blocks the request from leaving my PC:

 

$ dig lys.local

; <<>> DiG 9.16.15-Ubuntu <<>> lys.local ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36405 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;lys.local. IN A

;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: ti. okt. 19 21:33:01 CEST 2021 ;; MSG SIZE rcvd: 38

 

 

forcing the query to FG works:

 

dig lys.local @192.168.1.1

; <<>> DiG 9.16.15-Ubuntu <<>> lys.local @192.168.1.1 ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65282 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;lys.local. IN A

;; ANSWER SECTION: lys.local. 86400 IN A 192.168.2.1

;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: ti. okt. 19 21:39:31 CEST 2021 ;; MSG SIZE rcvd: 43

 

 

rwpatterson
Valued Contributor III

Looking at your output above, your queries are being handled by the localhost DNS server. Edit the OS to use the Fortigate for DNS queries instead.

 

;; SERVER: 127.0.0.53#53(127.0.0.53)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com