firewall -> packet filters
For a drop all rule for dns.
You will need to disable or modify this rule so your internal DNS server can resolve names.
Thanks, I already check this, anyway I just add a new rule to accept all traffic on port 53.
Any other idea.
I mean just adding the local server as DNS server it´s enough?
Thanks in advanced.
Disable the rule entirely that blocks dns.
it is stopping your internal dns server contacting other dns servers on the internet.
another solution should be... make a dnat -> pointing to the dedicated internal DNS Server.
all clients are getting DNS from there.
How can I make the dnat ?
Well, here is more details about my scenario.
In the FIREWALL section -> Definitions -> Addresses there are all the IP addres groups and single IP Address of the network, so that definition are by IP ADDRESS, but now we have a DHCP/DNS Server, so now the IP Address will be dynamic. So we need to create that definition by DNS Hostaname, that definition are used to bloque hosts from Internet Access.
FIREWALL section -> Definitions -> Addresses
Are your internal clients using the UTM device as a DNS proxy ?
If so, I suggest you don't.
Configure them to use the internal DNS server instead ( via DHCP I presume ), then the names should resolve.
My internal client are using 2 DNS.
First DNS: 192.168.2.100 (UTM Internal IP / Gateway)
Second DNS: 192.168.2.190 (DNS/DHCP)
So you suggest change the DNS, and only let the internal DNS only?
But the problem here I suppose is that my box (snapgear) is not resolve the correct ip for the hostname (VIRTUAL), I change the IP of the DNS Server in the LAN configuration, the screenshots above was wrong, so now I change the IP to 192.168.2.190, and try it but nothing... the client can pass to the internet.
Yes, I am suggesting that since you already have a full functional DNS server ( probably linked to AD and DHCP ), that you use this, not the UTM DNS proxy.
So point all internal clients to use 192.168.2.190
Do not specify this address on the UTM config...let the UTM device use the DNS servers as set by the ISP