Hello,
I've noticed that when using below configuration, Fortigate does not use the primary server as I would expect. Like first attempt to primary and if it fails (once or for some number of retries), go to secondary. It seems Fortigate chooses the server based on the RTT value to it and because the secondary has a lower latency attached, it uses it more often.
config system dns set primary 1.1.1.1 set secondary 2.2.2.2 end
Is there any workaround or configuration to change this behavior?
Brm
Radu
Why? if nothing is broken why do you need to change the behavior?
I would test both dns server by including only-one in the system dns config and make sure it works. if you need to adjust timeout and retries, you have two option in cli that you can set
config system dns
set timeout xxx
set retry xxx
end
But I rarely even seen or had to use that setting except in very bad performance networks.
Ken Felix
PCNSE
NSE
StrongSwan
Hi Ken,
When using FQDNs in policies that are rapid changing (TTL =5 sec for ex) I need basically to have a sync between the client (whose traffic is passing through the Fortigate) and the Fortigate. Both the client and the Fortigate are using the same DNS servers but windows DNS client behaves differently than the Fortigate. Basically it seems to lock to the primary working DNS server and only in case of failure goes to the secondary. Problem is that FQDNs like Amazon CDN ones are rapidly changing and if the client and the server will end up using different servers there will be an out of sync scenario.
I tried using the cache-ttl option in the FQDN, but does not help that much. One solution would be that both the client and the Fortigate use the same DNS (I can't configure just one on the Fortigate due to redundancy need).
Hope you got my point. Don't know what Fortinet's solution to these kind of mismatches is (perhaps wildcard FQDNs or using application control signatures instead of FQDNs).
BR,
Radu
Point taken.
This problem is always a concern in low TTL A records. The problem you have to understand that the query lookup by the FGT and the dns-resolver are not always happening at the same time so the cache TTL value will not always be in-sync as you pointed out.
So when the web-user put "www.example.com" in the browser and resolve it to x.x.x.x , the fgt is doing the same (if not cached already ) at some later time.
You could try setting up dedicated internal windows-dns-server and point the clients and fgt to the same dns-system and see if that helps.
One other item that could be deployed is to use explicit-proxy hosted on the fortigate. I think that would prevent a lot of these issues but the cost of adding a proxy for http/https in the mix.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1109 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.