Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aabukhshim
Staff
Staff

Created on ‎08-08-2024 10:18 AM Edited on ‎11-03-2025 12:05 AM By Moderator

Article Id 331347

Technical Tip: How to configure DHCP option 119 (multiple search domains) for different domains

Description

 

This article describes the steps to configure DHCP option 119 on FortiGate.

 

Scope

 

FortiOS.

 

Solution

 

Configuration Example Requirements:

  • FortiGate’s DHCP server must be configured to use DHCP option 119 for the following domains:
    • test1.local.
    • test2.net.
    • test3.org.

Preparing for the configuration:

  •  Break each domain and convert it to Hex, and find the length of each string.
    • test1.local:
      • test1 = 7465737431.
      • local = 6c6f63616c.
          
    • test2.net:
      • test2 = 7465737432.
      • net = 6e6574.

    • test3.net:
      • test3 = 7465737433.
      • org = 6f7267.

  • Find the length of each string:
    • test1.local:
      • test1 = 05.
      • local = 05.
           
    • test2.net:
      • test2 = 05.
      • net = 03.

    • test3.net:
      • test3 = 05.
      • org = 03.

Note: If the length of the string is in double digits, then convert it to hex and use the hex value; do not use the double digit directly without converting to hex. This will result in FortiGate sending a malformed Option 119 packet, which causes the client PC not to recognize the domain search list.

 

In Wireshark, the domain search list appears as below instead of showing the correct FQDNs:

FQDN: <Unknown extended label>

 

For example, let's say a domain testwebsite.com has a length of testwebsite is 11 in decimal. Convert it to hexadecimal, which is 0b. So the length should be used as 0b and not as 11.

 

  • Prepare and append each domain in Hex (string length, then string in HEX).
    • test1.local: 057465737431056c6f63616c.
         
    • test2.net: 057465737432036e6574.

    • test3.net: 057465737433036f7267.

  • Prepare the HEX for all domains and add 00 in between and 00 at the end, make sure there are no commas or spaces(blank) in between the HEX values.

 

test1.local00test2.net00test3.net00.

057465737431056c6f63616c00057465737432036e657400057465737433036f726700.

 

FortiGate’s Configuration:

  • CLI Configuration:

 

config system dhcp server

    edit 1

        config options

            edit 1

                set code 119

                set value "057465737431056c6f63616c00057465737432036e657400057465737433036f726700"

            next

        end

    next

end

  • GUI Configuration:

Network -> Interface -> Select an interface -> DHCP server -> Advanced -> Additional DHCP option -> Create New.

 

1.png

 

Verification:

Use ipconfig /release and ipconfig /renew in a Windows PC to verify if the domains are received during the DHCP lease.

 

2.png

 

3.png

1931
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.