my first post here, any help is appreciated.
I have a fortigate 50E with a bunch of PCs connected to it which form my internal network. One of the PCs is running a web app (Confluence to be precise). I can access this app from within the internal network with . Now I'd like to be able to access it from the internal network using something like 'confluence.myoffice.com:someport'. I also have confluence.myoffice.com as subdomain with my webhoster, but which I don't expect to see if I open that url from my local network.
I read about conditional port forwarding and set it up via the Fortigate CLI:
config system dns-database
edit "my_forward"
set authoritative disable
set domain "confluence.myoffice.com"
set forwarder "<myIP>"
next
end
and also set up the interface, so that in my Fortigate UI I see:
However when I open a browser on my internal network with confluence.myoffice.com it takes me to the public version. How can I check that the Fortigate settings are taking effect?
I followed @Zac67 instructions and have the following now:
but when I do nslookup from a machine in the LAN it still seems to go through the usual DNS:
This is what I get from the Fortigate console:
Best Answer
For local name resolution you need to set up 3 things:
1- a DNS zone
2- at least one A record in that zone
3- a DNS on the interface where your internal hosts are
A zone in a nameserver is a container for name/IP pairs, the records. You create a DNS zone in
config system dns-database
:This zone only holds records for your private hosts and thus it must be 'authoritative'!
Next, the record(s). They are created in the
config dns-entry
section. Record type 'A' denotes a host entry. It doesn't harm to have an additional 'NS' record with the name of your nameserver, i.e. the Fortigate.Then you set up a DNS for your hosts to use, here on the 'lan' interface:
As you can see, it must be in 'recursive' mode or non-local names will not be resolved. If the requested hostname is not found in the dns-database, if 'recursive' is specified the request will be forwarded to the Fortigate's System DNS which can be a Fortiguard DNS (like in your case) or your provider's DNS.
Now you can resolve a local hostname like 'namea.mycompany.local'.
At last, if you use the FGT as your DHCP server, specify the Fortigate's LAN address as the DNS to use so that all your local hosts will know whom to ask.