Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎05-08-2019 12:16 PM

Article Id 193963

Technical Note: CLI method to verify domain resolution when in isolation

Description
Use the "dig" tool to determine the IP address resolution of a specific domain.
Solution
Run the following command in the Server/Application Server CLI:
dig @<eth1 IP address of isolation network> <domain name>


Example:  Domain is in Allowed Domains List (zones.common)

safebrowsing.google.com and its common name (sb.l.google.com) is listed in zones.common... 

> grep -i safebrowsing.google.com /var/named/chroot/etc/zones.common
        zone "safebrowsing.google.com" {

> grep -i sb.l.google.com /var/named/chroot/etc/zones.common
        zone "sb.l.google.com" {


safebrowsing.google.com resolves to the actual IP address (172.217.11.14)...    

 dig @192.168.23.2 safebrowsing.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @192.168.23.2 safebrowsing.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39818
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;safebrowsing.google.com.       IN      A

;; ANSWER SECTION:
safebrowsing.google.com. 82293  IN      CNAME   sb.l.google.com.
sb.l.google.com.        300     IN      A       172.217.11.14




Example:  Domain is not in the Allowed Domains List

cnn.com is not found in zones.common. 

> grep -i cnn.com /var/named/chroot/etc/zones.common
>


This domain resolves to the eth1 IP address.

> dig @192.168.23.2 cnn.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @192.168.23.2 cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13775
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                30      IN      A       192.168.23.2

;; AUTHORITY SECTION:
.                       11      IN      NS      isol.bradfordnetworks.com.

;; ADDITIONAL SECTION:
isol.bradfordnetworks.com. 15   IN      A       192.168.23.2



To add domains to the Allowed Domains page, refer to related KB article below.

Related Articles

Technical Note: Troubleshooting domain resolution for agent communication

Technical Note: Add Allowed Domains using the Administration UI

Technical Note: Captive Portal page secured with SSL certificate not building or slow to build

Technical Tip: Troubleshooting domain resolution in the captive portal

Labels:
248
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.