Technical Tip: Hairpin (NAT) alternative using DNS translation

Creating DNS translation:

DNS translation can be done per policy using a DNS filter or pre-VDOM using the CLI. For example:

config firewall dsntranslation

    edit 1

        set dst 208.91.114.109 (original IP address)

        set netmask 255.255.255.255

        set src 192.168.2.1 (translated IP address)

        next

end

Creating DNS translation using the GUI:

• Create a DNS filter profile. First go to Security Profiles, DNS filter, and create a new filter profile or edit an existing one.

• Enable DNS translation in the DNS filter profile:

• Create new:
  
  

• Next, add an external IP address to the Original Destination (208.91.114.109), and add an internal IP address under the Translated Destination (192.168.2.1). In this case, it is a single IP address, so a netmask of 255.255.255.255 is added to the Network mask.
  
  

• Add the DNS translation profile to the policy that will allow DNS traffic.

See the following article for further details/examples on DNS translation: Technical Tip: How to use the DNS translation feature.

As shown above: fortiguard.com resolves to 208.91.114.109, the internal address of this server is 192.168.2.1, and the DNS server is 8.8.8.8 which is external to this location. Because the request passes through the ForitGate and matches the DNS translation, the destination address is translated from 208.91.114.109 to 192.168.2.1. Since the 192.168.2.X/24 subnet is in the DMZ, the client will be able to access the server if there is an IPv4 policy from LAN to DMZ.