Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbandha
Staff
Staff

Created on ‎09-22-2023 06:29 AM Edited on ‎01-11-2024 09:58 PM By Community Manager

Article Id 275352

Technical Tip: DNS not reachable in Multi VDOM environment

Description This article describes the troubleshooting steps if the DNS is showing as not reachable in a multi-VDOM environment.
Scope FortiGate 7.0+.
Solution

This article goes over the troubleshooting step for DNS not available in a multi-VDOM environment on FortiGate. Particularly if the WAN interface is not located in the management VDOM.


First of all, find out what is the management VDOM. For this go to Global VDOM and then navigate to System-> VDOM.
Then a screen similar to this will appear:

 

1.JPG
Here the VDOM that has a tick mark under ‘Management VDOM’ is the management VDOM.

 

The current setting of the management VDOM can be seen using:

 

config global
show full system global | grep management-vdom


To change the management VDOM, refer to this article:


Technical Note: How to change management VDOM from GUI and CLI

 

Once the Management VDOM is found, check if it contains the WAN interface. To check this, go to the management VDOM and then navigate to Network-> Interfaces.

 

If the WAN interface is not displayed there, then this may be causing the issue with the DNS not reachable.


This is caused because FortiGate uses Management VDOM to send self-originating traffic like DNS, Syslog, etc.
If the Management VDOM does not have a WAN interface, then it cannot directly access the internet, which is causing the DNS server to be unreachable.


To fix this issue, an Inter VDOM link will be created and a firewall policy to provide internet access in the Management VDOM.

 

Start first by creating an Inter VDOM link. To configure that, go to Global VDOM and then navigate to Network-> Interfaces. Then select ‘Create New’ and choose ‘VDOM link’. Here choose the Management VDOM and the VDOM that has the WAN link.

 

Also, assign a dummy IP to both interfaces, it can be any IP not being used in your environment.

Here is an example of what it should look like :

 

2.1.JPG

 

After that, go to the Management VDOM. Navigate to Network-> Static Routes. Create a default route with the interface as the Inter VDOM link as shown below:

 

3.JPG


After that go to the VDOM which contains the WAN interface, in this test case it is root VDOM. Then navigate to Policy&Objects-> Firewall Policy. Select ‘Create New’.


Here it is created a firewall policy going from the VDOM link to the WAN interface as shown in the image below:

 

4.JPG

 

If desired, it is possible to restrict the source of this policy to the IP that will be set as source IP for DNS. After configuring the policy, select ‘Ok’ at the end.

 

Next, set up the source IP for DNS. For this, use a local interface IP in the Management VDOM or the dummy IP on the inter-VDOM link.

 

In this example, it is used the IP of inter VDOM link 10.0.0.1. Set that as a source for DNS. Open a CLI window in Global VDOM and enter these commands:


config system DNS
    set source-ip 10.0.0.1
end

 

After that, go to root VDOM (VDOM which has a WAN link) and then create a static route for this IP if not having it configured already. Here is an image of what it should look like:

 

5.1.JPG


After this, the DNS should be reachable and look something like this:

 

Final.JPG
Related article:
Technical Tip: WAN connectivity using inter-VDOM link
5409
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.