Description

This article describes how to configure a DNS health check monitor for server load balancing.

Scope

FortiGate.

Solution

A DNS health check monitor can be configured for server load balancing.
The monitor uses TCP or UDP DNS as probes.

The request domain is matched against the configured IP address to verify the response.
The DNS health check monitor does not support IPv6.

Example.
In this example, a DNS health check monitor is created and used in a VIP.
The FortiGate sends the DNS request on UDP port 53 to the configured real servers every 30 seconds.
If the DNS response from a real server matches the DNS match IP address, then the real server is marked as 'Active'.
Otherwise, it is marked as Down.

To configure the health check monitor.

1. Create a new DNS health check monitor.

config firewall ldb-monitor

    edit "dns-monitor-1"
        set type dns
        set interval 30
        set port 53
        set src-ip 172.16.200.10
        set dns-request-domain "pc4.qa.fortinet.com"
        set dns-match-ip 172.16.200.44
    next
end

To configure DNS health check on the GUI (some settings are only available in the CLI), make sure 'Load Balance' is enabled under System -> Feature Visibility. 

Go to Policy & Objects -> Health Check -> Create New. 

2. Apply the monitor to a virtual server.

config firewall vip
    edit "test-vs-ip-1"
        set type server-load-balance
        set extip 10.1.100.153
        set extintf "wan1"
        set server-type ip
        set monitor "dns-monitor-1"
        set ldb-method round-robin
            config realservers
                edit 1
                    set ip 172.16.200.44
                next
                edit 2
                    set ip 172.16.200.55
                next
            end
    next
end

Example configuration on the GUI: