VPN Site-to-Site DNS redirection problem

Hi guys!

I did get from my predecessor a network on Fortigate 300E. It is connected via VPN Site-to-Site to different location where I have Fortigate 120C.

I have a problem with DNS on my remote location. On my primary site I have a web application to which I connect via web address given by my AD DNS like appname(.)local and not with IP address. The IP address always redirects to DNS name appname(.)local on Chrome Browser. I would like to use this app on my second location. When I enter the address of an app appname(.)local it redirects me to a public website miastopuck(.)pl (The city of Puck in Poland). The second location gets my DNS and is able to reach the DNS servers.

Every app address from my primary network I want to reach gives me an error that the browser could not find IP address of server miastopuck(.)pl

We never had nothing to the city of Puck. Pinging IPs works. I can reach my SMB shares. The only problem is with DNS.

What Can I check in my fortigate settings?

If the ping works fine and resolve correctly the name, so could be the secure functions in your browser. Eg. Chrome use a function called Secure DNS, you must disable it.

Take the browser out of it - What happens if you do a nslookup for appname(.)local from a machine at the remote site? Does it resolve to the correct IP? If not, then you may have a wildcard record setup for your domain name. If so, and if a given lookup fails, it will be forwarded to that wildcard address… For example, we have a wildcard record in our DNS that directs any invalid lookup to our main corporate web page so if someone attempts to reach a URL for which there is no valid record, they are redirected to our corporate web page. (i.e: We have no record for fortinet.domain.com and someone tries to reach http://fortenet.domain.com, they are redirected to our corporate web page at: www.domain.com) Perhaps your ISP, or you, have a wildcard that says send invalid records to: miastopuck(.)pl

Just a thought

Another thing to consider here is to use the built in packet capture to see what the DNS is doing but it almost seems like your gate, or your workstations, are appending that domain (miastopuck(.)pl) to your lookups. Did you perhaps get the Fortigate at the secondary location from somewhere second hand or refurbished? nslookup will tell us a lot but you may consider doing a packet capture from the CLI on the secondary gate to see what DNS is doing. To do this, open a CLI or SSH session into the remote gate and type: diagnose sniffer packet any ‘port 53’ 4 999 l and then make a DNS request with nslookup or your browser and ensure that the destination interface it’s sending the traffic is in fact the destination interface that would traverse toward your main site and not out a WAN interface or similar. If that doesn’t provide any answers, reply back to this thread and I’ll give you an example of how to do a diagnose debug on the gate.

Thank you! It was nslookup which actually helped! It was reverse dns which was missing causing all the trouble. I added new primary zone and it works now! Thank you all for help!