Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ccho
Staff
Staff

Created on ‎09-22-2023 12:12 AM Edited on ‎03-27-2025 06:02 AM By Moderator

Article Id 275269

Technical Tip: FortiGate alt-primary, alt-secondary DNS server feature and configuration

Description

 

This article describes the FortiGate alt-primary DNS server feature and its configuration.

 

Scope

 

FortiOS 7.0, 7.2, 7.4.

 

Solution

 

alt-primary and alt-secondary servers are configurable from the CLI.

 

config system dns
    set alt-primary {ipv4-address}
    set alt-secondary {ipv4-address}
end

 

Alt-dns servers are alternative DNS servers for FortiGate queries under a specific condition.

 

FortiGate queries the configured alt-dns servers when FortiGate's primary/secondary DNS server returns a name resolution error (NXDOMAIN) for a name query.

 

A common usage case for alt-dns servers is to resolve internal domain names that cannot be resolved by the public DNS servers.

 

If using DNS port 53, the best way to see the DNS response should be running the packet sniffer below and convert it to analyse it with Wireshark(https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-diagnose-sniffer-packet-data... :(

 

diagnose sniffer packet any "host x.x.x.x and host y.y.y.y and port 53" 6 0 l  <----- Where x.x.x.x is the client IP and y.y.y.y is the DNS server IP.

 

Wireshark capture can be taken on an internal client machine or on FortiGate. FortiGate provides the options to filter before starting the capture. IP address of internal client can be used to filter the capture.

 

Picture2.png

 

As can be seen from the screenshot, error in DNS response is seen as ''No such name(3)".

 

Example Workflow:

 

config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol dot
    set server-hostname "globalsdns.fortinet.net"
    set alt-primary 10.0.0.3
    set alt-secondary 10.0.0.4
end

 

  • FortiGate's primary and secondary DNS servers are configured as public DNS servers.
  • FortiGate must query www.test.lab.
  • DNS server selection takes place between primary and secondary DNS servers based on the 'set server-select-method' setting.
  • The query is sent to the chosen primary/secondary DNS server.
  • Public DNS servers return a name resolution error 'NXDOMAIN'.
  • Another server selection takes place between alt-primary and alt-secondary DNS servers.
  • The same query for www.test.lab is sent to the chosen alt-dns server.

 

For alt-dns servers to be utilized, the following conditions must be met.

 

  1. Receives a nxdomain from 'primary/secondary DNS'.
  2. Has alternate servers configured.
  3. Domain forwarding is not configured.
  4. Must be using DOH or DOT protocol.
  5. If the internal DNS Server works on cleartext, the option must be enable.

 

Domain Forwarding: 

Technical Tip: DNS conditional forwarding.

 

The option 'set server-hostname' is not available when using the cleartext protocol.

 

FortiGate alt-dns query honors 'set server-select-method' configuration as well as 'protocol'.

 

config system dns
    set server-select-method { least-rtt | failover }
    set protocol {cleartext | dot | doh}
end

 

Related article:

Technical Tip: FortiGate DNS query preference when multiple DNS protocols are enabled

8666
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.