FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff
Article Id 190815

Description

 

This article describes how to configure different DNS servers for a specific VDOM.

Having VDOM enabled in FortiGate, DNS set in global will be used by all the VDOMs.

Solution

 

To configure different DNS servers for a specific VDOM, follow the below steps:

 

config vdom
    edit <vdom name>
        set primary {ipv4-address}
        set secondary {ipv4-address}
        set source-ip {ipv4-address}
        set interface-select-method [auto|sdwan|...]
        set interface {string}
end

 

Example.

Global DNS.

 

dracarys-kvm13 (global) # show system dns
config system dns

    set primary 10.40.0.3
    set secondary 208.91.112.52
end

 

VDOM DNS.

 

dracarys-kvm13 # config vdom
dracarys-kvm13 (vdom) edit internal
dracarys-kvm13 (internal) # show system  vdom-dns
config system vdom-dns

    set vdom-dns enable
    set primary 8.8.8.8
    set secondary 4.2.2.2
end

 

Configuration for DNS database VDOM:

Technical TIP: Different options of con... - Fortinet Community

 

  • If it is necessary to resolve the FQDN for dns-database on a remote DNS server over IPsec tunnel or interface it requires specifying the source IP if the interface is not part of the VDOM it shows an error.

x.x.x.x IP does not match any interface IP in the VDOM root.

node_check_object fail! for source-ip x.x.x.x

 

  • This issue is added as a new feature from 7.4.x firmware to allow specifying source IP address for DNS conditional forwarding server from interfaces other than root VDOM interfaces:

Interfaces in non-management VDOMs as the source IP address of the DNS conditional forwarding server...

 

Example: 

 

config system vdom-dns
    set vdom-dns enable
    set primary 10.10.10.1
    set secondary 10.10.10.2
    set source-ip x.x.x.x
end

config system dns-database
    edit "example.com"
        set domain "example.com"
        set authoritative disable
        set forwarder "10.10.10.1"
        set source-ip 192.168.10.1   
 <--- Interface IP.
    next
end

 

  • When FQDN is pinged from internal VDOM, it will use vdom-dns instead of DNS set in Global.

dracarys-kvm13 (internal) # execute ping test.com
PING test.com (67.225.146.248): 56 data bytes
^C
--- test.com ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

dracarys-kvm13 (internal) # dia sniffer packet any "host 8.8.8.8 or host 4.2.2.2" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 or host 4.2.2.2]

2021-09-29 12:52:26.960304 port3 out 10.40.51.13.3695 -> 8.8.8.8.53: udp 35
2021-09-29 12:52:29.264189 port3 out 10.40.51.13.3695 -> 4.2.2.2.53: udp 26
2021-09-29 12:52:29.303275 port3 in 4.2.2.2.53 -> 10.40.51.13.3695: udp 42
2021-09-29 12:52:31.966378 port3 out 10.40.51.13.3695 -> 4.2.2.2.53: udp 35
2021-09-29 12:52:32.005244 port3 in 4.2.2.2.53 -> 10.40.51.13.3695: udp 302