Skip to main content
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 18, 2023
Solved

How VDOM-DNS works

  • December 18, 2023
  • 1 reply
  • 4970 views

I'm referring two KBs below for this issue:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-server/ta-p/275269
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuration-per-VDOM-DNS/ta-p/190815

But in reality with 7.0.13, the vdom-dns config accepts only alt-primary/alt-secondary unlike the 2nd KB describes.
With this, how is the DNS decided at the vdom (test-vdom)? Always ask global primary/secondary first? Then only when they're unreachable vdom-dns is used? Or only vdom-dns is used? I prefer the latter behavior but not sure.

Also, what protocol would be used if alt-primary/alt-secondary was chosen? Same as the primary/secondary?

 

fg40f-utm (global) # config sys dns   fg40f-utm (dns) # get primary             : 96.45.45.45 secondary           : 96.45.46.46 protocol            : dot ssl-certificate     : Fortinet_Factory server-hostname     : "globalsdns.fortinet.net" domain              : ip6-primary         : :: ip6-secondary       : :: timeout             : 5 retry               : 2 dns-cache-limit     : 5000 dns-cache-ttl       : 1800 cache-notfound-responses: disable source-ip           : 0.0.0.0 interface-select-method: auto server-select-method: least-rtt alt-primary         : 0.0.0.0 alt-secondary       : 0.0.0.0 log                 : disable   fg40f-utm (test-vdom) # config system vdom-dns   fg40f-utm (vdom-dns) # get vdom-dns            : disable alt-primary         : 0.0.0.0 alt-secondary       : 0.0.0.0


Toshi

 

Best answer by Debbie_FTNT

Hey Toshi,

can you please try the following?
#config vdom
#edit <>
#config system vdom-dns

#set vdom-dns enable

#set primary/secondary [...]

 

This is from a 7.2.6 FGT; the 'set primary/secondary' options only become available after vdom-dns is enabled.

 

image.png

 

The alt-primary and alt-secondary settings were added in 7.0 as far as I can tell, and are used only if neither primary nor secondary DNS server can resolve the hostname (not as a failover for timeout, but explicitly when hostnames fail to resolve), and the protocol should be the same as for primary/secondary.
Use cases would be to have one set as internal DNS and one set as external DNS, for example.
EDIT: I found a KB on this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-server/ta-p/275269

1 reply

Debbie_FTNT
Staff & Editor
Debbie_FTNTAnswer
Staff & Editor
December 19, 2023

Hey Toshi,

can you please try the following?
#config vdom
#edit <>
#config system vdom-dns

#set vdom-dns enable

#set primary/secondary [...]

 

This is from a 7.2.6 FGT; the 'set primary/secondary' options only become available after vdom-dns is enabled.

 

image.png

 

The alt-primary and alt-secondary settings were added in 7.0 as far as I can tell, and are used only if neither primary nor secondary DNS server can resolve the hostname (not as a failover for timeout, but explicitly when hostnames fail to resolve), and the protocol should be the same as for primary/secondary.
Use cases would be to have one set as internal DNS and one set as external DNS, for example.
EDIT: I found a KB on this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-server/ta-p/275269

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAuthor
    SuperUser
    December 19, 2023

    Thanks Debibe as usual. Then we can't make 8.8.8.8/8.8.8.4 as alternative DNS if the primary/secondary's protocol:dot.

     

    Toshi

    Terms & ConditionsAccessibility statement