Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-18-2023 08:25 AM Edited on ‎02-26-2024 05:27 AM By Community Manager

How VDOM-DNS works

I'm referring two KBs below for this issue:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuration-per-VDOM-DNS/ta-p/190815

But in reality with 7.0.13, the vdom-dns config accepts only alt-primary/alt-secondary unlike the 2nd KB describes.
With this, how is the DNS decided at the vdom (test-vdom)? Always ask global primary/secondary first? Then only when they're unreachable vdom-dns is used? Or only vdom-dns is used? I prefer the latter behavior but not sure.

Also, what protocol would be used if alt-primary/alt-secondary was chosen? Same as the primary/secondary?

 

fg40f-utm (global) # config sys dns
 
fg40f-utm (dns) # get
primary             : 96.45.45.45
secondary           : 96.45.46.46
protocol            : dot
ssl-certificate     : Fortinet_Factory
server-hostname     : "globalsdns.fortinet.net"
domain              :
ip6-primary         : ::
ip6-secondary       : ::
timeout             : 5
retry               : 2
dns-cache-limit     : 5000
dns-cache-ttl       : 1800
cache-notfound-responses: disable
source-ip           : 0.0.0.0
interface-select-method: auto
server-select-method: least-rtt
alt-primary         : 0.0.0.0
alt-secondary       : 0.0.0.0
log                 : disable
 
fg40f-utm (test-vdom) # config system vdom-dns
 
fg40f-utm (vdom-dns) # get
vdom-dns            : disable
alt-primary         : 0.0.0.0
alt-secondary       : 0.0.0.0


Toshi

 

Labels:
2678
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff

Created on ‎12-19-2023 04:28 AM Edited on ‎12-19-2023 04:36 AM

Hey Toshi,

can you please try the following?
#config vdom
#edit <>
#config system vdom-dns

#set vdom-dns enable

#set primary/secondary [...]

 

This is from a 7.2.6 FGT; the 'set primary/secondary' options only become available after vdom-dns is enabled.

 

image.png

 

The alt-primary and alt-secondary settings were added in 7.0 as far as I can tell, and are used only if neither primary nor secondary DNS server can resolve the hostname (not as a failover for timeout, but explicitly when hostnames fail to resolve), and the protocol should be the same as for primary/secondary.
Use cases would be to have one set as internal DNS and one set as external DNS, for example.
EDIT: I found a KB on this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

2633
2 REPLIES 2
Debbie_FTNT
Staff
Staff

Created on ‎12-19-2023 04:28 AM Edited on ‎12-19-2023 04:36 AM

Hey Toshi,

can you please try the following?
#config vdom
#edit <>
#config system vdom-dns

#set vdom-dns enable

#set primary/secondary [...]

 

This is from a 7.2.6 FGT; the 'set primary/secondary' options only become available after vdom-dns is enabled.

 

image.png

 

The alt-primary and alt-secondary settings were added in 7.0 as far as I can tell, and are used only if neither primary nor secondary DNS server can resolve the hostname (not as a failover for timeout, but explicitly when hostnames fail to resolve), and the protocol should be the same as for primary/secondary.
Use cases would be to have one set as internal DNS and one set as external DNS, for example.
EDIT: I found a KB on this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2634
Toshi_Esumi
SuperUser
SuperUser
In response to Debbie_FTNT

Created on ‎12-19-2023 09:53 AM

Thanks Debibe as usual. Then we can't make 8.8.8.8/8.8.8.4 as alternative DNS if the primary/secondary's protocol:dot.

 

Toshi

2619
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.