FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ccho
Staff
Staff
Article Id 275269
Description

 

This article describes the FortiGate alt-primary DNS server feature and its configuration.

 

Scope

 

FortiOS 7.0, 7.2, 7.4.

 

Solution

 

alt-primary and alt-secondary servers are configurable from the CLI.

 

config system dns

    set alt-primary {ipv4-address}

    set alt-secondary {ipv4-address}

end

 

Alt-dns servers are alternative DNS servers for FortiGate queries under a specific condition.

 

FortiGate queries the configured alt-dns servers when FortiGate's primary/secondary DNS server returns a name resolution error (NXDOMAIN) for a name query.

 

A common usage case for alt-dns servers is to resolve internal domain names that cannot be resolved by the public DNS servers.

 

Example Workflow:

 

config system dns

    set primary 96.45.45.45

    set secondary 96.45.46.46

    set protocol dot

    set server-hostname "globalsdns.fortinet.net"

    set alt-primary 10.0.0.3

    set alt-secondary 10.0.0.4

end

 

  • FortiGate's primary and secondary DNS servers are configured as public DNS servers.
  • FortiGate must query www.test.lab.
  • DNS server selection takes place between primary and secondary DNS servers based on the 'set server-select-method' setting.
  • The query is sent to the chosen primary/secondary DNS server.
  • Public DNS servers return a name resolution error 'NXDOMAIN'.
  • Another server selection takes place between alt-primary and alt-secondary DNS servers.
  • The same query for www.test.lab is sent to the chosen alt-dns server.

 

In order for alt-dns servers to be utilized, the following conditions must be met.

 

  1. Receives a nxdomain from 'primary/secondary DNS'.
  2. Has alternate servers configured.
  3. Domain forwarding is not configured.

 

Domain forwarding: Technical Tip: DNS conditional forwarding.

 

FortiGate alt-dns query honors 'set server-select-method' configuration as well as 'protocol'.

 

config system dns
    set server-select-method { least-rtt | failover }

    set protocol {cleartext | dot | doh}
end

 

DNS protocol preference explained: Technical Tip: FortiGate DNS query preference when multiple DNS protocols are enabled.

Contributors