Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gypsy_Dave
New Contributor III

NAT and DNS HELP

Hi all,

I have a FG80C installed and running. My ISP provides me via a antena connection my internet connection. I have my WAN1 configured using DHCP and it gets assigned a WAN address of 192.168.20.x which then in turn gives me an external IP of 185.x.x.x.x. 

 

I'm running a server which I have configured on my DMZ 192.168.10.x and I use virtual IPs to forward the traffic this this server on the DMZ. I have policies created too. 

 

On the control panel on my domain registrant I have a glue record pointing the name servers to my server, myserver.com on the DMZ where I'm running a unix hosting control panel and bind. Externally everything works fine. The problem is internally on my LAN. I can't resolve any of the myserver.com addresses. As they are all pointing to my external IP 185.x.x.x. 

 

What do I need to setup to be able to resolve those external "mysever.com" addresses on my internal LAN? 

8 REPLIES 8
Dave_Hall
Honored Contributor

Based on your description of the problem and if we are talking about one or a handful of FQDNs, you could use dnstranslation, which is explained here or here

e.g.

 

config firewall dnstranslation edit <index_int> set src <185.x.x.x.x> set dst <192.168.10.x> set netmask <address_ipv4mask>

end  

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Gypsy_Dave
New Contributor III

Strangely when using the CLI commands mentioned I receive a reply from nslookup on the LAN computer for resolving mydomain.com to 192.168.10.174 ? The server which is hosting that domain has only configured the address 192.168.10.2 (and the external 185.x.x.x. also). There is no 192.168.10.174 anywhere on my lan? Where is it getting that from? 

 

config firewall dnstranslation edit <index_int> set src <185.x.x.x.x> set dst <192.168.10.x> set netmask <address_ipv4mask> end

Dave_Hall
Honored Contributor

Flush the DNS server cache (e.g. ipconfig /fushdns) on the computer and make sure it has the correct DNS server IPs assigned to it (from the DHCP server).  If the computer is receiving the proper DNS server IP info, check the local DNS records on the DNS server (service) are correct and/or DNS forwarders configured/set to point to a local address in your internal LAN. 

 

Mind you, if you already have a domain server running a DNS service, you may as will configure local DNS records for the myserver.com addresses. 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
emnoc
Esteemed Contributor III

I don't think dnstranslation is going to work on your internal LAN. What is the DNS-server listed for the clients and does this go thru the firewall? Can you do split views in your DNS?

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Gypsy_Dave
New Contributor III

Basically the main problem is I don't run a lan DNS server otherwise I would just create the entries to reflect the internal lan ips. The server I'm running is a unix server running a control panel software to host various domains and also acts as a name server to resolve the dns entries for the domains hosted on it. But this is all done via its external IP address. 

 

I'm using my FG as the DHCP for my lan clients where I have configured googles 8.8.8.8 dns. Is there a way to to add to the FG that it resolves my domain1.com and mydomain2.com to the local ip of my unix server?

 

I saw a FG document about hairpin but that is only good for a specific port. So its no good. Maybe I need to setup an internal DNS and then just add the entries to the zone file.?

 

https://docs.fortinet.com.../5.4.0/cookbook/856642

Dave_Hall
Honored Contributor

Have used the cookbook receipt that uses hairpin on udp port 53 (e.g. dns) and a local internal DNS server to some success. 

 

================================= config system interface edit "dns-loop" set vdom "root" set ip 11.10.10.10 255.255.255.255 set type loopback next end ================================= config system settings set gui-dns-database enable end ================================= config system dns-database edit "Google" set domain "google.com" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 216.239.38.120 next edit 2 set hostname "google.com" set ip 216.239.38.120 next end next edit "Google Canada" set domain "google.ca" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 216.239.38.120 next end next end ================================= config system dns-server edit "internal_net" next edit "dns-loop" next end ================================= config firewall vip edit "dns-vip" set type load-balance set src-filter "192.168.0.1-192.168.0.250" set extip 0.0.0.0-239.255.255.255 set extintf "internal_net" set arp-reply disable set portforward enable set mappedip "11.10.10.10" set protocol udp set extport 53 set mappedport 53 next end ================================= config firewall policy edit 0 set name "Map-to-DNS-Internal" set srcintf "internal_net" set dstintf "dns-loop" set srcaddr "all" set dstaddr "dns-vip" set action accept set schedule "always" set service "DNS" next end ===========

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
emnoc
Esteemed Contributor III

So what Dave is proposing is a DNS-server on loopback. Success is 50/50 in my experience. Works great for a small dns-fqdn footprint, is not manageable in a large env or if dns-entries are constantly changing.

 

On hair-pin ( totally different ) you want to send internal users to the rfc1918 address and not the external-public? So that would need a hair-pin rule to steer layer3 service to the web-server.

 

Another solution would be a inside DNS-server that has forwarders, you can do that with a simple windowsDNS or ISC dns-server. Here you would forward all others request not residing to local-domain or your public-domain to  the external DNS-server 

 

i.e

 

mylocaldomain.local == authoritive 

everybody else is forward to google_dns 8.8.8.8

 

That dns-server option Dave display is actually the same concept btw.

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Gypsy_Dave
New Contributor III

Thanks for the replies. Yes the hair- pin would be perfect but from what I understand its only for certain ports. IE you can't set-up everything to everything on that IP address. 

 

I'll look into Dave's solution for the DNS loop back. Seems the way forward. 

 

Regarding interna DNS, yes this would be the easiest way but I have no Windows computers or servers on the network. All MACOS. Maybe I'll look for a macOS DNS service? 

Labels
Top Kudoed Authors