Hot!Internal DNS Multiple Subnets

Author
Stuart Mitchell
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/29 22:07:40
  • Status: offline
2017/10/29 22:24:44 (permalink)
0

Internal DNS Multiple Subnets

Hi guys!
 
On our FortiWiFi unit, we're having trouble getting DNS resolving across two internal subnets. Internet works fine on the WiFi and the LAN, and we can access the LAN subnet from the WiFi and vice versa, but cannot resolve DNS.
 
I've tried searching through the Cookbook, watching videos, but can't find any clear guide as to how to set this up.
 
Our FortiWiFi is running firmware v5.6.2, and I've already enabled DNS Server from the Features.
 
Port1 (LAN) = 10.0.0.1/24
WiFi = 192.168.0.1/24

We're not running a corporate domain in our office, and have no on-prem servers (only small, no need).

I've tried setting up the DNS Server a few different ways, but cannot get this to work. I know I can add entries in there manually, but that won't be practical to manage, as IP addresses and Hostnames will change.

Can someone please assist?

Kind regards,
Stuart Mitchell
#1
MikePruett
Platinum Member
  • Total Posts : 711
  • Scores: 19
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/30 06:19:43 (permalink)
0
You need to bridge the wifi and LAN (if they are both work networks) into a software switch that way they are the same subnet). Without a true DNS server you are relying on broadcast traffic for resolution. Two different subnets wont broadcast to one another so you need to bridge them so that it is one subnet and one broadcast domain.
#2
Toshi Esumi
Expert Member
  • Total Posts : 2733
  • Scores: 269
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/30 09:46:08 (permalink)
0
What DNS server IPs are you handing over DHCP? A public one, like 8.8.8.8, or internal one somewhere inside of your network? In either case, as long as the client machine has reachability to the DNS server it should work fine.
#3
Stuart Mitchell
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/29 22:07:40
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/30 15:31:22 (permalink)
0
Hi Toshi,
 
The FortiWiFi system DNS is set to 8.8.8.8
The LAN DHCP is set to Interface IP for DNS server (10.0.0.1)
The WiFi DHCP is set to Interface IP for DNS server (192.168.0.1)
 
Under DNS Server, I've configured both interfaces (LAN & WiFi) to be Recursive
 
Should I be changing my WiFi DHCP to give out 10.0.0.1 as the DNS server?
 
Thanks in advance,
Stuart Mitchell
#4
Stuart Mitchell
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/29 22:07:40
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/30 17:11:26 (permalink)
0
Hi Mike,
 
For argument's sake, let's pretend that the networks cannot be on the same subnet, but need to be able to communicate with one another (including DNS resolution).
 
Are you saying there's no way to do this on a FortiGate without changing the subnet mask? For such a feature-filled device, I find that hard to believe, but I guess I'll see what other people come back with.
 
Kind regards,
Stuart Mitchell
#5
rwpatterson
Expert Member
  • Total Posts : 8539
  • Scores: 207
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Internal DNS Multiple Subnets 2017/10/30 20:07:32 (permalink)
0
What is your DNS server? The Fortigate or another unit?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
-5.6.13-b1714: FWF80CM
-5.2.13-b0762: FWF81CM, FWF80CM
-5.0.14-b0323: FWF81CM, FWF80CM(3)
-4.3.19-b0694: FWF81CM
#6
Stuart Mitchell
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/29 22:07:40
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/30 21:00:52 (permalink)
0
The FortiGate, though not sure if I've set it up properly, hence why I'm here :)
 

 
Again, we don't have a corporate domain here with any servers, just a simple office environment.
 
Kind regards,
Stuart Mitchell
#7
Toshi Esumi
Expert Member
  • Total Posts : 2733
  • Scores: 269
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/31 15:04:37 (permalink)
0
I'm actually not sure how "Same as Interface IP" option would work. But if you want to let all devices to use 8.8.8.8 as DNS, you should set "Same as System DNS". Then make sure each device can ping 8.8.8.8.
#8
Toshi Esumi
Expert Member
  • Total Posts : 2733
  • Scores: 269
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/31 15:13:25 (permalink)
0
And I don't feel any necessity you need to make your FortiGate as a DNS server.
#9
Stuart Mitchell
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/29 22:07:40
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/31 15:21:17 (permalink)
0
@Toshi
 
So you're saying if I set all our internal subnets' DNS to 8.8.8.8, devices on one subnet will be able to resolve hostnames on a separate local subnet?
 
How would that work?
 
Just to reiterate, we have two local subnets... Our LAN subnet of 10.0.0.0/24, and our WiFi (on a different interface) on 192.168.0.0/24. Currently, I've got routing configured correctly, so I can access either subnet from either subnet, but from either side, I cannot resolve hostnames on the other side (10.0.0.0/24 hosts cannot resolve hostnames on the 192.168.0.0/24 subnet, and vice versa).
#10
Toshi Esumi
Expert Member
  • Total Posts : 2733
  • Scores: 269
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/31 15:29:04 (permalink)
0
DNS server system on the internet manage only names bound to domains publicly authorized, and resolve those names to each public IP address. It never resolve to a private IP. Local devices can talk each other with their private IPs through Layer 3 devices(routers) in your case your Fortigate.
#11
Stuart Mitchell
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/29 22:07:40
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/31 15:37:11 (permalink)
0
I'm not sure you understand what I'm trying to achieve. This has nothing to do with external DNS, we're just trying to resolve local hostnames across two different local subnets, which are configured on two different interfaces of the same FortiGate.
 
== Office FortiGate ==
Port1 - 10.0.0.1/24
WiFi Interface - 192.168.0.1/24
WAN - Irrelevant

Routing works fine, so devices on our LAN (10.0.0.0/24) can talk to devices on the WiFi (192.168.0.0/24) and vice versa. All devices on the WiFi (192.168.0.0/24) can resolve each others' hostnames, and all devices on the LAN (10.0.0.0/24) can resolve each others' hostnames.
 
THE ISSUE is that devices on the LAN (10.0.0.0/24) cannot resolve the hostnames of devices on the WiFi (192.168.0.0/24), nor can devices on the WiFi (192.168.0.0/24) resolve hostnames of devices on the LAN (10.0.0.0/24).
#12
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Internal DNS Multiple Subnets 2017/10/31 19:46:24 (permalink)
0
I have a somewhat similar setup (though WiFi is through FortiAP) and am using the FortiGate (5.4.5) to provide some simple local DNS, which works fine.  If you were to set yours up in the way I have mine, it would be something like:
 
  1. Port1 interface (LAN1, 10.0.0.1) specifies DNS as "Same as Interface IP"
  2. Whatever interface the WiFi is on (192.168.0.1) also specifies DNS "Same as Interface IP".  
  3. Under Network > DNS specify 8.8.8.8 or whatever public DNS server you want
  4. Under Network > DNS Servers > DNS Service on Interface add dns servers for both interfaces, set as Recursive
  5. Under Network > DNS Servers > DNS Database create your needed DNS Zone elements, of type Master, specifying base domain names, and listing out (possibly multiple) A records to map URLs to your local IPs.
For example, my own setup has a DNZ zone something like:
 
Type: Master
View: Shadow
DNZ Zone: flubber.com
Domain Name: flubber.com
Hostname of Primary Master: flubber-dns
Contact Email Address: admin@flubber.com
TTL: 86400
Authoritative: Disable
--- DNS Entries ---
Type       Details
A            mmm.flubber.com -> IP.IP.IP.IP
A            auth.local.flubber.com -> IP.IP.IP.IP
 
I can use a web browser from one subnet to browse to mmm.flubber.com in a different subnet successfully.
 
A question.  How are you determining that the names aren't being resolved from the other subnets?  Does ipconfig show the correct Fortigate DNS IP on those clients? Is it possible you're simply getting blocked by security policies between the subnets?  What does tracert from from one subnet to a url on another subnet show?  I ask because I blocked myself this way the first time I set up the dns.
#13
boma23
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/01 21:01:41
  • Status: offline
Re: Internal DNS Multiple Subnets 2021/10/02 15:11:59 (permalink)
0
Digging up an old thread.

I have identical issue to OP.

2 different VLANs and internal subnets, which have routing between them.


Both have DNS server run from the Fortigate interface IP, although have specified the DNS server in DHCP to match the gateway, to be sure.


I can resolve local DNS in each VLAN, and ping between them, but not resolve addresses in one subnet from the other.  Entering the IP in a browser takes me to the page hosted on the opposing VLAN/subnet, but entering the A record address name does not.  Clients are picking up the correct DNS server for the VLAN / subnet they have joined.
 
My DNS in each is setup identically to various other VLANs, which all work perfectly.
 
Worth noting the WiFI is handled by UniFi  L2 switches, with the Forti as our L3 router/Firewall.

To add, I have also tried setting DNS server of the second routed VLAN for the clients, but this doesn't work either.
post edited by boma23 - 2021/10/02 15:31:01
#14
AndréK
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/01/10 06:24:22
  • Status: offline
Re: Internal DNS Multiple Subnets 2021/10/16 01:02:28 (permalink)
0
same issue here, I even tried to make a new post about it.. https://forum.fortinet.com/tm.aspx?m=199385
Is it really impossible?  - there must be lots of people experiencing this...
#15
Jump to:
© 2021 APG vNext Commercial Version 5.5