Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ccho
Staff
Staff

Created on ‎09-20-2023 02:50 PM Edited on ‎03-10-2025 11:22 AM By Moderator

Article Id 274940

Technical Tip: FortiGate DNS query preference when multiple DNS protocols are enabled

Description

 

This article describes FortiGate’s DNS query behavior when multiple DNS protocols are enabled.

 

Scope

 

FortiGate v7.0, v7.2, v7.4.

 

Solution
 

Multiple DNS protocols are enabled under Network -> DNS.

 

ccho_0-1695245055687.png

 

Fortigate DNS query behavior is influenced by the following configuration:

 

config system dns
    set server-select-method { least-rtt | failover }
end

 

set server-select-method least-rtt (default setting)

 

If 'server-select-method' is set to 'least-rtt', FortiGate will actively use the enabled protocols, but it will prefer the one with the least rrt value. It will occasionally send queries on other protocols to monitor them and evaluate the rtt for the server and protocols.

 

It is recommended to use a DNS protocol supported by all DNS servers.

 

 

set server-select-method failover


If 'set server-select-method' is set to 'failover', FortiGate will build a list of available DNS servers and protocols. FortiGate queries the servers from the top of the list and then moves on to the next server in order to detect a DNS query failure with that particular server.

 

The DNS server list can be found by running the following command:


diagnose test application dnsproxy 3

 

When all DNS protocols are enabled, the list is built in this order


fortigate (global) # diagnose test application dnsproxy 3
DNS servers:
96.45.45.45:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.45.45:853 vrf=0 tz=0 encrypt=dot req=37 to=0 res=37 rt=7 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.45.45:443 vrf=0 tz=0 encrypt=doh req=1 to=4 res=0 rt=1454 ready=1 timer=0 probe=0 failure=3 last_failed=79736
96.45.46.46:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:853 vrf=0 tz=0 encrypt=dot req=80 to=0 res=80 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:443 vrf=0 tz=0 encrypt=doh req=1 to=3 res=0 rt=1360 ready=1 timer=0 probe=0 failure=3 last_failed=79612

 

FortiGate will query '96.45.45.45:53' as it is the first server in the list, when this server fails it moves on to the next server in line '96.45.45.45:853', then into '96.45.45.45:443'.


In this configuration, clear-text DNS is utilized first as the first server in the list.

As long as '96.45.45.45:53' continues to respond to queries, other servers and protocols will not be used.

3158
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.