I have a problem with a web server (WS) (apache on ubuntu 20.04 server), Fortinet Firewall (FF) and windows Active Directory (AD). My ISP recently upgraded my Internet connection and changed some configuration (static IP addresses and subnet). Before the upgrade, there was no problem. In particular, the AD was behind FF while the WS was external to it (machines from local networks and from external networks reached the WS from the Internet).
After the upgrade, the configuration of AD and WS is still the same, but due to change of my ISP, I have connection problems between my local network managed by AD and the WS. In detail, on firefox I get error message from ISP firewall pfsense "potential DNS rebinding attack detected try to access to WS via IP instead of hostname" on chromium the problem is the same, but I get less specific error. Whereas there is not any problem by connecting to the WS from any external network. I contacted my ISP asking about the error, they told me that they changed their configuration and that to solve the problem I should use their DNS only.
I know apache and GNU/linux quite well whereas I'm not good at both AD and FF. I searched on the web about changing DNS for AD. So I set up as local DNS a local machine (DHCP) and as external/forwarder DNS (the one provided by the ISP). However, the problem is still present. My first idea is to move WS from outside FF into a DMZ in such a way that machines from the internal network could reach it as a local connection without passing from the Internet. However, this requires some change in FF configuration (I have to learn it). Is there something that I can do in the meantime? Something on AD? Thank you
Edit:
I attached a schematic of the network. On the first page, there is the network configuration before the upgrade of my ISP1.
The current network configuration is in the second page. In the meantime, I contacted my ISP again and it configured pfsense with split DNS as described here. Now, after configuring the AD with only ISP1 DNS, the potential DNS rebinding attack problem seems solved.
I could leave the configuration of network in this way since it is working. However, I'm still planning to configure a DMZ as showed on the third page. In theory it should be enough to follow this guide.
Do you have any suggestion? Am I missing something?