Description

This article describes how to configure different DNS servers for a specific VDOM. Having VDOM enabled in FortiGate, DNS set in global will be used by all the VDOMs.

Scope

FortiGate.

Solution

To configure different DNS servers for a specific VDOM, follow the below steps:

config vdom
    edit <vdom name>
        set primary {ipv4-address}
        set secondary {ipv4-address}
        set source-ip {ipv4-address}
        set interface-select-method [auto|sdwan|...]
        set interface {string}
end

Example.

Global DNS.

dracarys-kvm13 (global) # show system dns
config system dns
    set primary 10.40.0.3
    set secondary 208.91.112.52
end

VDOM DNS.

dracarys-kvm13 # config vdom
dracarys-kvm13 (vdom) edit internal
dracarys-kvm13 (internal) # show system  vdom-dns
config system vdom-dns
    set vdom-dns enable
    set primary 8.8.8.8
    set secondary 4.2.2.2
end

Configuration for DNS database VDOM: Technical TIP: Different options of con... - Fortinet Community

• If it is necessary to resolve the FQDN for dns-database on a remote DNS server over an IPsec tunnel or interface it requires specifying the source IP if the interface is not part of the VDOM it shows an error.
  
  

x.x.x.x IP does not match any interface IP in the VDOM root.

node_check_object fail! for source-ip x.x.x.x

• This issue is added as a new feature from v7.4.x firmware to allow specifying source IP address for DNS conditional forwarding server from interfaces other than root VDOM interfaces: Interfaces in non-management VDOMs as the source IP address of the DNS conditional forwarding server...

Example: 

config system vdom-dns
    set vdom-dns enable
    set primary 10.10.10.1
    set secondary 10.10.10.2
    set source-ip x.x.x.x
end

config system dns-database
    edit "example.com"
        set domain "example.com"
        set authoritative disable
        set forwarder "10.10.10.1"
        set source-ip 192.168.10.1     <--- Interface IP.
    next
end

• When FQDN is pinged from internal VDOM, it will use vdom-dns instead of DNS set in Global.
  
  

dracarys-kvm13 (internal) # execute ping test.com
PING test.com (67.225.146.248): 56 data bytes
^C
--- test.com ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

dracarys-kvm13 (internal) # dia sniffer packet any "host 8.8.8.8 or host 4.2.2.2" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 or host 4.2.2.2]

2021-09-29 12:52:26.960304 port3 out 10.40.51.13.3695 -> 8.8.8.8.53: udp 35
2021-09-29 12:52:29.264189 port3 out 10.40.51.13.3695 -> 4.2.2.2.53: udp 26
2021-09-29 12:52:29.303275 port3 in 4.2.2.2.53 -> 10.40.51.13.3695: udp 42
2021-09-29 12:52:31.966378 port3 out 10.40.51.13.3695 -> 4.2.2.2.53: udp 35
2021-09-29 12:52:32.005244 port3 in 4.2.2.2.53 -> 10.40.51.13.3695: udp 302

• The 'diagnose test application dnsproxy 3' would display the DNS settings.

diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
10.40.0.3:53 vrf=0 tz=0 encrypt=none req=4 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
208.91.112.52:53 vrf=0 tz=0 encrypt=none req=1 to=0 res=1 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
ALT servers:
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:

VDOM: internal, index=3, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
8.8.8.8:53 vrf=0 tz=0 encrypt=none req=11 to=9 res=0 rt=1494 ready=1 timer=0 probe=0 failure=6 last_failed=458
4.2.2.2:53 vrf=0 tz=0 encrypt=none req=15 to=7 res=0 rt=1493 ready=1 timer=0 probe=0 failure=5 last_failed=958
SDNS servers:
ALT servers:
Interface selecting method: auto
Specified interface: