Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff

Created on ‎12-25-2022 10:34 AM Edited on ‎11-09-2025 11:15 PM By Community Manager

Article Id 240785

Troubleshooting Tip: FortiGate is not using the configured DNS server

Description This article describes the use of DNS-server-override when the internet link is dynamic (PPPoE or DHCP).
Scope FortiGate v6.4. v7.0. v7.2 and v7.4.
Solution

When the FortiGate internet is assigned an IP address from PPPoE or DHCP, it will get a DNS IP from it. FortiGate will use the acquired DNS IP for the ISP, as well as the configured DNS server IP in the DNS settings.

 

hhasny_1-1671869770419.png

 

To use the configured DNS server, disable the 'Override internal DNS' at Network -> Interfaces and select the respective interface. 

 

hhasny_0-1671869540841.png

Once disabled, going back to Network -> DNS, the entry under Dynamically Obtained DNS servers should be gone. 

 

This does not mean that FortiGate DNS will not be used. There are cases when acquired DNS from ISPs is not reachable or when system DNS has lower latency; in this case, both acquired and system DNS will be used.

 

One example of implementing this feature is when using VDOMs and using specific DNS servers for a particular VDOM, and not using global settings, but per-VDOM DNS.

 

From CLI:

 

config system interface
    edit "<ISP>"
        set dns-server-override enable    (by default)
    next
end

 

Note:

A DHCP address issued by a cloud platform like Azure for a FortiGate VM instance hosted in it includes Azure DNS IP addresses as well (in the DHCP option 6). This DNS IP(s) will be listed on top of the DNS list as shown in the below CLI command. If the locally configured DNS server IP addresses (in the FortiGate configuration) are required to be on top of this DNS list instead, use the 'dns-server-override disable' option.

 

FortiGate # diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled

DNS servers:

<Azure-dns-ip-1>:53 vrf=0 tz=0 encrypt=none req=261721 to=261721 res=0 rt=0 ready=1 timer=0 probe=0 failure=7261 last_failed=102
<Azure-dns-ip-2>:53 vrf=0 tz=0 encrypt=none req=261718 to=261718 res=0 rt=0 ready=1 timer=0 probe=0 failure=7212 last_failed=20
<FortiGate-local-dns-1>:53 vrf=0 tz=0 encrypt=none req=261716 to=0 res=261716 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
<FortiGate-local-dns-2>:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0

 

In the example output above, the first two are Azure DNS IP addresses, and the last two are the locally configured DNS IP addresses in FortiGate under 'config system dns' and 'set primary <IP> / set secondary <IP>'. To ensure the local DNS IP addresses are on top of the list, use the 'set dns-server-override disable' option under the corresponding interface 'config system interface' that is receiving the DHCP address.

 

Related documents:

config system interface

Configure interfaces
4267
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.