Skip to main content
Radu_sec
Radu_sec
New Member
March 4, 2021
Question

Fortigate uses secondary DNS more instead of primary DNS configured Forti OS 5.4

  • March 4, 2021
  • 1 reply
  • 6136 views

Hello,

 

I've noticed that when using below configuration, Fortigate does not use the primary server as I would expect. Like first attempt to primary and if it fails (once or for some number of retries), go to secondary. It seems Fortigate chooses the server based on the RTT value to it and because the secondary has a lower latency attached, it uses it more often.

 

config system dns set primary 1.1.1.1 set secondary 2.2.2.2 end

 

Is there any workaround or configuration to change this behavior? 

 

Brm

Radu 

    1 reply

    emnoc
    emnoc
    New Member
    March 4, 2021

    Why? if nothing is broken why do you need to change the behavior?

     

    I would test both dns server by including only-one in the system dns config and make sure it works. if you need to adjust timeout and retries, you have two option in cli that you can set 

     

    config system dns

      set timeout xxx

      set retry xxx

    end

     

    But I rarely even seen or had to use that setting except in very bad performance networks.

     

    Ken Felix

    Radu_sec
    Radu_secAuthor
    New Member
    March 4, 2021

    Hi Ken,

     

    When using FQDNs in policies that are  rapid changing (TTL =5 sec for ex) I need basically to have a sync between the client (whose traffic is passing through the Fortigate)  and the Fortigate. Both the client and the Fortigate are using the same DNS servers but windows DNS client behaves differently than the Fortigate. Basically it seems to lock to the primary working DNS server and only in case of failure goes to the secondary. Problem is that FQDNs like Amazon CDN ones are rapidly changing and if the client and the server will end up using different servers there will be an out of sync scenario. 

    I tried using the cache-ttl option in the FQDN, but does not help that much. One solution would be that both the client and the Fortigate use the same DNS (I can't configure just one on the Fortigate due to redundancy need). 

    Hope you got my point. Don't know what Fortinet's solution to these kind of mismatches is (perhaps wildcard FQDNs or using application control signatures instead of FQDNs). 

     

    BR,

    Radu

    emnoc
    emnoc
    New Member
    March 4, 2021

    Point taken.

     

    This problem is always a concern in low TTL A records. The problem you have to understand that the query lookup by the FGT and the dns-resolver are not always happening at the same time so the cache TTL value will not always be in-sync as you pointed out.

     

    So when the web-user put "www.example.com" in the browser and resolve it to x.x.x.x , the fgt is doing the same (if not cached already ) at some later time.

     

    You could try setting up dedicated internal windows-dns-server and point the clients and fgt to the same dns-system and see if that helps.

     

    One other item that could be deployed is to use explicit-proxy hosted on the fortigate. I think that would prevent a lot of these issues but the cost of adding a proxy for http/https in the mix.

     

    Ken Felix

     

    Terms & ConditionsAccessibility statement