In certain scenarios, the FortiGate will need to be deployed behind an ISP router.
In these cases, the ISP router will release an IP for the FortiGate WAN, and this WAN interface on the FortiGate will need to be in DHCP mode.
By default, 'Override internal DNS' is enabled on this interface. This might cause the ISP-pushed DNS to be
delivered to end clients as well.
In cases of multiple WAN interfaces, if the WANs flap between one another, or failover between the WAN interfaces is being tested, this override setting can cause problems with DNS resolving for clients behind the FortiGate.
Solution:
In these cases, the 'Override internal DNS' setting would need to be disabled.
DNS override can be disabled either from the GUI by untoggling the option or in the CLI by running the commands below:
config system interface
edit <WAN_port>
set dns-server-override
enable Use DNS acquired by DHCP or PPPoE.
disable No not use DNS acquired by DHCP or PPPoE.
set dns-server-override disable
end
After this change, when testing failover between the WAN interfaces, no DNS resolution issues should be encountered.
Note:
This applies as well when the interface is set to PPPoE and 'Override internal DNS' is enabled.
In SD-WAN deployments, enabling Override Internal DNS on a single DHCP WAN member may affect DNS behavior for the entire SD-WAN configuration.
For reference, see this article:Â Technical Tip: DHCP clients going to wrong DNS server
| 
