Technical Tip: Configuration per VDOM DNS
Description
This article describes how to configure different DNS servers for a specific VDOM. Having VDOM enabled in FortiGate, DNS set in global will be used by all the VDOMs.
Scope
FortiGate.
Solution
To configure different DNS servers for a specific VDOM, follow the below steps:
config vdom
edit <vdom name>
set primary {ipv4-address}
set secondary {ipv4-address}
set source-ip {ipv4-address}
set interface-select-method [auto|sdwan|...]
set interface {string}
end
Example.
Global DNS.
dracarys-kvm13 (global) # show system dns
config system dns
set primary 10.40.0.3
set secondary 208.91.112.52
end
VDOM DNS.
dracarys-kvm13 # config vdom
dracarys-kvm13 (vdom) edit internal
dracarys-kvm13 (internal) # show system vdom-dns
config system vdom-dns
set vdom-dns enable
set primary 8.8.8.8
set secondary 4.2.2.2
end
Configuration for DNS database VDOM: Technical TIP: Different options of con... - Fortinet Community
- If it is necessary to resolve the FQDN for dns-database on a remote DNS server over an IPsec tunnel or interface it requires specifying the source IP if the interface is not part of the VDOM it shows an error.
x.x.x.x IP does not match any interface IP in the VDOM root.
node_check_object fail! for source-ip x.x.x.x
- This issue is added as a new feature from v7.4.x firmware to allow specifying source IP address for DNS conditional forwarding server from interfaces other than root VDOM interfaces: Interfaces in non-management VDOMs as the source IP address of the DNS conditional forwarding server 7.4.1
Example:
config system vdom-dns
set vdom-dns enable
set primary 10.10.10.1
set secondary 10.10.10.2
set source-ip x.x.x.x
end
config system dns-database
edit "example.com"
set domain "example.com"
set authoritative disable
set forwarder "10.10.10.1"
set source-ip 192.168.10.1 <--- Interface IP.
next
end
- When FQDN is pinged from internal VDOM, it will use vdom-dns instead of DNS set in Global.
dracarys-kvm13 (internal) # execute ping test.com
PING test.com (67.225.146.248): 56 data bytes
^C
--- test.com ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
dracarys-kvm13 (internal) # dia sniffer packet any "host 8.8.8.8 or host 4.2.2.2" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 or host 4.2.2.2]
2021-09-29 12:52:26.960304 port3 out 10.40.51.13.3695 -> 8.8.8.8.53: udp 35
2021-09-29 12:52:29.264189 port3 out 10.40.51.13.3695 -> 4.2.2.2.53: udp 26
2021-09-29 12:52:29.303275 port3 in 4.2.2.2.53 -> 10.40.51.13.3695: udp 42
2021-09-29 12:52:31.966378 port3 out 10.40.51.13.3695 -> 4.2.2.2.53: udp 35
2021-09-29 12:52:32.005244 port3 in 4.2.2.2.53 -> 10.40.51.13.3695: udp 302
- The 'diagnose test application dnsproxy 3' would display the DNS settings.
diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
10.40.0.3:53 vrf=0 tz=0 encrypt=none req=4 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
208.91.112.52:53 vrf=0 tz=0 encrypt=none req=1 to=0 res=1 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
ALT servers:
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
VDOM: internal, index=3, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
8.8.8.8:53 vrf=0 tz=0 encrypt=none req=11 to=9 res=0 rt=1494 ready=1 timer=0 probe=0 failure=6 last_failed=458
4.2.2.2:53 vrf=0 tz=0 encrypt=none req=15 to=7 res=0 rt=1493 ready=1 timer=0 probe=0 failure=5 last_failed=958
SDNS servers:
ALT servers:
Interface selecting method: auto
Specified interface: