Hot!DNS - Unable to access internally hosted sites on Apple Devices

Author
Jennyjcuk
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/03 02:27:25
  • Status: offline
2021/05/03 23:56:15 (permalink)
0

DNS - Unable to access internally hosted sites on Apple Devices

Hi All,
 
We have a few hosted sites and services on our Academic network, that needs to be accessed via our guest/BYOD wifi/vlan.  I've set up rules to the servers from the guest network, I have routed the DNS through to our DNS servers (this contains all host and reverse lookup records) on our Academic vlan. Windows devices work fine so I know the right things are in place, but anything Apple doesn't. We have tried flushing the DNS and cache on Apple devices, different browsers, still no luck. They can get to external websites fine, but just not internal.
 
Also most of our sites are externally facing, but the Apple products still can't get to them when connected to our BYOD network! 
 
Any help appreciated!
 
Thanks,
Jenny
post edited by Jennyjcuk - 2021/05/04 00:08:17
#1

9 Replies Related Threads

    Martin Hancock
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/09/20 19:13:33
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/04 02:14:05 (permalink)
    0
    Have you added in the DNS suffixes to the DHCP scope at all for your network?
    #2
    Jennyjcuk
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/03 02:27:25
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/04 06:08:35 (permalink)
    0
    No - we have set up DHCP on the Fortigate for the guest network.  Can the DNS suffixes be added to the Fortigate?
    #3
    SJFriedl
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/12/10 14:13:55
    • Location: Southern California USA
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/04 08:12:05 (permalink)
    0
    Jennyjcuk
    Can the DNS suffixes be added to the Fortigate?


    Yes, though it might only be doable via the CLI.
     
    config system dhcp server
      edit 2
         set domain "mydomain.local"
    #4
    Jennyjcuk
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/03 02:27:25
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/05 02:47:26 (permalink)
    0
    Thank you this has worked a little... strangely now on my test iPhone I can get to one internal site but still not to all! Any other options that could be specified?  
    #5
    SJFriedl
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/12/10 14:13:55
    • Location: Southern California USA
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/05 06:19:57 (permalink)
    0
    Jennyjcuk
    Any other options that could be specified?  

    I've never been able to get my iPhone to show *any* domains in Settings --> Wifi --> (SSID) --> Configure DNS, though my phone does resolve names on my local network.  Not sure if it's my phone is not showing search domains it knows about, or something else.
    #6
    Jennyjcuk
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/03 02:27:25
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/05 06:38:19 (permalink)
    0
    Apple devices! 
     
    I am thinking it may have something do with that it is a guest network with no firewall authentication, so the firewall doesn't know who the users or devices are, despite rules to allow everything through. We have another wireless network set up with RADIUS authentication which users can get to the internal sites.  That also has DHCP set up on the Fortigate and DNS is routed to a server on the same subnet. 
     
    Guest network DNS is routed to the RADIUS subnet. 
     
    post edited by Jennyjcuk - 2021/05/05 06:54:19
    #7
    SJFriedl
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/12/10 14:13:55
    • Location: Southern California USA
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/05 06:52:16 (permalink)
    0
    Jennyjcuk
    I am thinking it may have something do with that it is a guest network with no authentication, so the firewall doesn't know who they users or devices are, despite rules to allow everything through.

    But there's a firewall policy somewhere allowing the traffic: is NAT enabled *on the policy* (as opposed to a VIP)?
    #8
    Jennyjcuk
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/03 02:27:25
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/05 08:10:56 (permalink)
    0
    Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.
     
    NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.
    #9
    SJFriedl
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/12/10 14:13:55
    • Location: Southern California USA
    • Status: offline
    Re: DNS - Unable to access internally hosted sites on Apple Devices 2021/05/05 08:23:21 (permalink)
    0
    Jennyjcuk
    Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.
     
    NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.
    Ok, so the NAT question was me being confused with a different question (duh), though you probably don't want NAT on most policies.
     
    In any case, I recently simplified my network *dramatically* by letting my Fortigate serve up DNS on all the default gateways, and it would internally forward the requests to the real servers. I was able to remove essentially all of my firewall policies allowing DNS from one to another, a HUGE simplification.
     
    This is worth considering.
    #10
    Jump to:
    © 2021 APG vNext Commercial Version 5.5