It is a common practice in a multi-vdom system, as a system DNS, to use a public DNS server like FortiGuard server or any other publicly available provider. This is fine till the moment when there are FW rules configured with internal FQDN objects as the destination on some of the VDOMS. In the diagram below is shown a typical scenario. FortiGate with a few VDOMs. The VDOM root is the management VDOM with a connection to the internet and NPU links connected to one of the internal VDOM 'backend'. 

With the default configuration, all VDOMs will use the system DNS to resolve FQDNs:

config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
end

If there are firewall rules on backend VDOM with FQDN as destination like below, then the system DNS cannot resolve those FQDNs, because publicly available DNS servers are used.

config firewall policy
    edit 1
        set name "test"
        set uuid 92782700-f00c-51ed-4fd8-2f2bd5654d53
        set srcintf "dmz"
        set dstintf "npu0_vlink1"
        set action accept
        set srcaddr "all"
        set dstaddr "servera.plant1" "serverb.plant1" "serverc.plant1"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

config firewall address
    edit "servera.plant1"
        set uuid f468c8d0-c335-51f0-5d54-f0246836a0f4
        set type fqdn
        set fqdn "servera.plant1"
    next
    edit "serverb.plant1"
        set uuid ffc0ed16-c335-51f0-a4aa-57c30f711c20
        set type fqdn
        set fqdn "serverb.plant1"
    next
    edit "serverc.plant1"
        set uuid 0d5d1f1c-c336-51f0-4a07-b1efeb058122
        set type fqdn
        set fqdn "serverc.plant1"
    next
end

FortiOS provides the possibility to configure a VDOM DNS for non-management VDOMs. This means that if the management VDOM is root, then for any other VDOM can be configured a separate DNS which can resolve the internal FQDNs.

For the backend, VDOM will be used as an internal DNS with IP 192.168.1.70, which is connected to the root VDOM.

Backend VDOM DNS configuration:

config vdom

    edit backend

        config system vdom-dns
            set vdom-dns enable <---By default is disabled.
            set primary 192.168.1.70 <--- IP address of the VDOM DNS server.
            set source-ip 192.168.2.1 <--- Source IP used to query the VDOM DNS server.
            set interface-select-method specify
            set interface "npu0_vlink1"  <--- Outgoing interface.
        end

    end

end

A static route for the DNS server on the backend VDOM is also needed:

config router static
    edit 1
        set dst 192.168.1.70 255.255.255.255
        set gateway 192.168.2.2 <-- IP of the root VDOM NPU link
        set device "npu0_vlink1"
    next
end

On the root VDOM is needed a firewall rule is needed which allows the DNS traffic from the backend VDOM to the DNS server 192.168.1.70:

config firewall policy
........
    edit 5
        set name "DMZ-to-LAN"
        set uuid d42c26fc-c335-51f0-4bbd-d54f849c3916
        set srcintf "npu0_vlink0"
        set dstintf "lan"
        set action accept
        set srcaddr "h-192.168.2.1"
        set dstaddr "h-192.168.1.70"
        set schedule "always"
        set service "DNS"
        set nat enable
    next
end

Output from 'diagnose test application dnsproxy 6' shows a dump of the FQDN on FortiGate:

diagnose test application dnsproxy 6
worker idx: 0
vfid=1 name=serverc.plant1 ver=IPv4 wait_list=0 timer=2310 min_ttl=3600 cache_ttl=0 slot=-1 num=1 wildcard=0
192.168.1.242 (ttl=86400:86393:86393)
vfid=1 name=serverb.plant1 ver=IPv4 wait_list=0 timer=2269 min_ttl=3600 cache_ttl=0 slot=-1 num=1 wildcard=0
192.168.1.241 (ttl=86400:86381:86381)
vfid=1 name=servera.plant1 ver=IPv4 wait_list=0 timer=2337 min_ttl=3600 cache_ttl=0 slot=-1 num=1 wildcard=0
192.168.1.240 (ttl=86400:86389:86389)
FQDN num=3