Hot!NAT and DNS HELP

Author
robbo007
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/09 02:07:48
  • Status: offline
2019/10/25 06:24:00 (permalink)
0

NAT and DNS HELP

Hi all,
I have a FG80C installed and running. My ISP provides me via a antena connection my internet connection. I have my WAN1 configured using DHCP and it gets assigned a WAN address of 192.168.20.x which then in turn gives me an external IP of 185.x.x.x.x. 
 
I'm running a server which I have configured on my DMZ 192.168.10.x and I use virtual IPs to forward the traffic this this server on the DMZ. I have policies created too. 
 
On the control panel on my domain registrant I have a glue record pointing the name servers to my server, myserver.com on the DMZ where I'm running a unix hosting control panel and bind. Externally everything works fine. The problem is internally on my LAN. I can't resolve any of the myserver.com addresses. As they are all pointing to my external IP 185.x.x.x. 
 
What do I need to setup to be able to resolve those external "mysever.com" addresses on my internal LAN? 
#1

8 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1531
    • Scores: 167
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: NAT and DNS HELP 2019/10/25 06:49:39 (permalink)
    0
    Based on your description of the problem and if we are talking about one or a handful of FQDNs, you could use dnstranslation, which is explained here or here
    e.g.
     
    config firewall dnstranslation
    edit <index_int>
    set src <185.x.x.x.x>
    set dst <192.168.10.x>
    set netmask <address_ipv4mask>
    end

     
    post edited by Dave Hall - 2019/10/25 06:52:12

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #2
    robbo007
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/03/09 02:07:48
    • Status: offline
    Re: NAT and DNS HELP 2019/11/04 12:17:17 (permalink)
    0
    Strangely when using the CLI commands mentioned I receive a reply from nslookup on the LAN computer for resolving mydomain.com to 192.168.10.174 ? The server which is hosting that domain has only configured the address 192.168.10.2 (and the external 185.x.x.x. also). There is no 192.168.10.174 anywhere on my lan? Where is it getting that from? 
     
    config firewall dnstranslation
    edit <index_int>
    set src <185.x.x.x.x>
    set dst <192.168.10.x>
    set netmask <address_ipv4mask>
    end
    post edited by robbo007 - 2019/11/04 12:27:13
    #3
    Dave Hall
    Expert Member
    • Total Posts : 1531
    • Scores: 167
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: NAT and DNS HELP 2019/11/04 15:24:23 (permalink)
    0
    Flush the DNS server cache (e.g. ipconfig /fushdns) on the computer and make sure it has the correct DNS server IPs assigned to it (from the DHCP server).  If the computer is receiving the proper DNS server IP info, check the local DNS records on the DNS server (service) are correct and/or DNS forwarders configured/set to point to a local address in your internal LAN. 
     
    Mind you, if you already have a domain server running a DNS service, you may as will configure local DNS records for the myserver.com addresses. 

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #4
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: NAT and DNS HELP 2019/11/04 21:20:20 (permalink)
    0
    I don't think dnstranslation is going to work on your internal LAN. What is the DNS-server listed for the clients and does this go thru the firewall? Can you do split views in your DNS?
     
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #5
    robbo007
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/03/09 02:07:48
    • Status: offline
    Re: NAT and DNS HELP 2019/11/05 13:33:47 (permalink)
    0
    Basically the main problem is I don't run a lan DNS server otherwise I would just create the entries to reflect the internal lan ips. The server I'm running is a unix server running a control panel software to host various domains and also acts as a name server to resolve the dns entries for the domains hosted on it. But this is all done via its external IP address. 
     
    I'm using my FG as the DHCP for my lan clients where I have configured googles 8.8.8.8 dns. Is there a way to to add to the FG that it resolves my domain1.com and mydomain2.com to the local ip of my unix server?
     
    I saw a FG document about hairpin but that is only good for a specific port. So its no good. Maybe I need to setup an internal DNS and then just add the entries to the zone file.?
     
    https://docs.fortinet.com.../5.4.0/cookbook/856642
    #6
    Dave Hall
    Expert Member
    • Total Posts : 1531
    • Scores: 167
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: NAT and DNS HELP 2019/11/05 14:50:38 (permalink)
    0
    Have used the cookbook receipt that uses hairpin on udp port 53 (e.g. dns) and a local internal DNS server to some success. 
     
    =================================

    config system interface
    edit "dns-loop"
    set vdom "root"
    set ip 11.10.10.10 255.255.255.255
    set type loopback
    next
    end

    =================================

    config system settings
    set gui-dns-database enable
    end

    =================================

    config system dns-database
    edit "Google"
    set domain "google.com"
    set authoritative disable
    config dns-entry
    edit 1
    set hostname "www"
    set ip 216.239.38.120
    next
    edit 2
    set hostname "google.com"
    set ip 216.239.38.120
    next
    end
    next
    edit "Google Canada"
    set domain "google.ca"
    set authoritative disable
    config dns-entry
    edit 1
    set hostname "www"
    set ip 216.239.38.120
    next
    end
    next
    end

    =================================

    config system dns-server
    edit "internal_net"
    next
    edit "dns-loop"
    next
    end

    =================================

    config firewall vip
    edit "dns-vip"
    set type load-balance
    set src-filter "192.168.0.1-192.168.0.250"
    set extip 0.0.0.0-239.255.255.255
    set extintf "internal_net"
    set arp-reply disable
    set portforward enable
    set mappedip "11.10.10.10"
    set protocol udp
    set extport 53
    set mappedport 53
    next
    end

    =================================

    config firewall policy
    edit 0
    set name "Map-to-DNS-Internal"
    set srcintf "internal_net"
    set dstintf "dns-loop"
    set srcaddr "all"
    set dstaddr "dns-vip"
    set action accept
    set schedule "always"
    set service "DNS"
    next
    end

    ===========




    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #7
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: NAT and DNS HELP 2019/11/05 22:12:25 (permalink)
    0
    So what Dave is proposing is a DNS-server on loopback. Success is 50/50 in my experience. Works great for a small dns-fqdn footprint, is not manageable in a large env or if dns-entries are constantly changing.
     
    On hair-pin ( totally different ) you want to send internal users to the rfc1918 address and not the external-public? So that would need a hair-pin rule to steer layer3 service to the web-server.
     
    Another solution would be a inside DNS-server that has forwarders, you can do that with a simple windowsDNS or ISC dns-server. Here you would forward all others request not residing to local-domain or your public-domain to  the external DNS-server 
     
    i.e
     
    mylocaldomain.local == authoritive 
    everybody else is forward to google_dns 8.8.8.8
     
    That dns-server option Dave display is actually the same concept btw.
     
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #8
    robbo007
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/03/09 02:07:48
    • Status: offline
    Re: NAT and DNS HELP 2019/11/07 10:53:22 (permalink)
    0
    Thanks for the replies. Yes the hair- pin would be perfect but from what I understand its only for certain ports. IE you can't set-up everything to everything on that IP address. 
     
    I'll look into Dave's solution for the DNS loop back. Seems the way forward. 
     
    Regarding interna DNS, yes this would be the easiest way but I have no Windows computers or servers on the network. All MACOS. Maybe I'll look for a macOS DNS service? 
    #9
    Jump to:
    © 2019 APG vNext Commercial Version 5.5