|
Example Scenario Setup:
In a multi-VDOM FortiGate setup, DNS forwarding between VDOMs can become problematic when DNS services are bound to VLAN or physical interfaces. This article shows a common issue and the recommended design fix: placing DNS on the inter-VDOM link interface.
- Example FortiGate Model: FortiGate-100F (multi-VDOM enabled).
- VDOM A ('App-Infra'): Application and infrastructure servers.
- VDOM B ('Corp-Net'): Hosts internal DNS zone (corp.local).
Devices in VDOM A need to resolve hostnames managed by DNS in VDOM B.
Possible Issues and Problematic Design Example:
Originally, the DNS database in VDOM B was bound to a VLAN interface. Even though DNS queries from VDOM A were routed via the inter-VDOM link, the DNS server's interface wasn't receiving or responding to the traffic properly.
Issues included:
- DNS queries are leaving VDOM A toward VDOM B over the correct inter-VDOM link.
- No response returning, or traffic attempting to route back via the default route.
- Static routes and debugging showed the path was correct, but DNS resolution failed
Solution:
Move the DNS Server to the Inter-VDOM Link.
To resolve the issue:
Reconfigure the DNS server in VDOM B to listen on the inter-VDOM interface, not a VLAN or physical port.
This change ensures that the DNS server responds through the same interface on which the request was received, eliminating the need for firewall policies between VDOMs and automatically maintaining symmetric routing.
Example:
If the inter-VDOM link is vlink1 between VDOM A and VDOM B:
config system dns-database
edit "corp.local"
set interface vlink1
set domain "corp.local"
config dns-entry
edit 1
set hostname "internal-srv"
set ip 10.10.10.10
next
end
FortiGate handles DNS queries based on the source and destination interface logic. When DNS is bound to a VLAN or external interface:
It expects traffic from specific networks or routes. Inter-VDOM traffic doesn’t always match those expectations
By placing the DNS on the inter-VDOM link, the FortiGate can process and reply to the request without extra configuration like firewall policies or return routes. It treats the traffic like local internal system communication.
Best practice:
- Always use inter-VDOM interfaces for system services like DNS, NTP, or syslog in multi-VDOM environments.
- Avoid binding services to VLANs or physical ports when they serve other VDOMs.
- Keep routing and firewall policies simple by leveraging FortiGate’s internal interface logic.
When facing DNS forwarding issues between VDOMs, the most efficient and reliable solution is to move the DNS service to the inter-VDOM link interface. This resolves routing complexities, eliminates the need for firewall policies, and aligns with Fortinet’s design best practices for multi-VDOM setups.
Because FortiGate is a stateful firewall, it monitors open connections and responds to traffic accordingly. When there are several VDOMs in a system, FortiGate can handle traffic between zones internally by putting services like DNS on the inter-VDOM link.
This way eliminates the need for additional firewall or routing rules, which can make setup more difficult and result in problems like dropped replies or asymmetric routing. Behind the scenes, FortiGate handles everything, and traffic remains on a clear, direct path.
For shared system services like syslog, DNS, or NTP, use the inter-VDOM link. It maintains simplicity.
Related document:
FortiGate DNS server
|
