Technical Tip: How to confirm if FortiADC is resolving DNS queries correctly
| Description | This article describes how to confirm that FortiADC can perform DNS resolution. |
| Scope | FortiADC. |
| Solution | To know how to log in to FortiADC's shell mode, follow this article: Technical Tip: Get access to secure shell of FortiADC starting from v7.0.
# dig @127.0.0.1 followed by the domain name. For example:
/# dig @127.0.0.1 www.fortinet.com ; <<>> DiG 9.18.0 <<>> @127.0.0.1 fortinet.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22966 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 27662f60cf534b060100000069273587600850f0040d4a1f (good) ;; QUESTION SECTION: ;fortinet.comUSA ;; ANSWER SECTION: fortinet.com dnsfortiguard.net54.151.118.105 fortinet.com dnsfortiguard.net 54.177.212.176
;; AUTHORITY SECTION: fortinet.com 86400defaultprimary.fortinet.com.
;; ADDITIONAL SECTION: defaultprimary.fortinet.com.86400 IN A 127.0.0.1
;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 26 12:14:47 -05 2025 ;; MSG SIZE rcvd: 157
Another method to check that FortiADC is able to resolve DNS records is through a direct DNS query against its interfaces in a listening state.
config global-dns-server general
By default, listen-on-all-interface is enabled, meaning that it is possible to perform a DIG or NSLOOKUP directly to any FortiADC interfaces.
CMD> nslookup -type={mx|cname|txt|a|aaaa|ptr|...} <FQDN-Domain> <FortiADC_IP-Add>
Related document: |