I understand this sounds silly but in my DNS settings I have "Use Fortigate Servers" enabled but both the Primary and Secondary DNS servers are listed as unreachable. However, at the bottom there is a section which says Dynamically Obtained DNS Servers where two DNS server addresses are listed for my WAN1 interface. What happens as soon as my Fortigate is able to reach Fortinet DNS servers? Does it stop using the dynamically obtained DNS servers and is there a way to enforce the Fortigate to use the dynamic ones?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I believe that it is based on the setting seen in the document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-determine-the-sequence-of-DNS-serve...
The FortiGate will just treat the dynamically obtained as additional DNS servers, probably 3rd and 4th in the list.
As far as I know, the latest obteined DNS is the primary one, that means the one obteined dynamically becomes the primary.
In other hand forget about this "unreachable" flag and high latency indicator under menu Network > DNS, this doesn't indicate the communication between FortiGate and DNS server itself but indicator between clients and DNS server (if there is a request).
In case you have internal DNS server that also resolves public addresses then I think it is better to disable dynamic DNS it should be better, by disabling "Override internal DNS" at interface level.
@AEK , @johnathan is there a way for me to remove the Fortinet DNS addresses and set the Fortigate to use only the dynamically obtained DNS servers?
Yes you can.
Just go to menu Network > DNS, and set 0.0.0.0 for both primary and secondary DNS servers.
On the other hand and to correct myself, I just made some tests on a FG with 2 statically configured DNS servers + 2 dynamically obtained DNS servers, and I found that the statically configured DNS is always the one requested by FGT.
In the below output see that FG always send the DNS query to 96.45.45.45 only, which is the configured statically as primary DNS.
FGT # diag debug application dnsproxy -1
FGT # diagnose debug enable
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=ibm.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0xc035 domain=ibm.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0xc035 domain=ibm.com pktlen=398
[worker 0] hostname_entry_insert()-143: af=2 domain=ibm.com
[worker 0] dns_send_response()-1542: domain=ibm.com reslen=398
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=php.org
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0xc067 domain=php.org
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0xc067 domain=php.org pktlen=123
[worker 0] hostname_entry_insert()-143: af=2 domain=php.org
[worker 0] dns_send_response()-1542: domain=php.org reslen=123
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=globaldevcollect.fortinet.net
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0x40e8 domain=globaldevcollect.fortinet.net
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0x40e8 domain=globaldevcollect.fortinet.net pktlen=252
[worker 0] hostname_entry_insert()-143: af=2 domain=globaldevcollect.fortinet.net
[worker 0] dns_send_response()-1542: domain=globaldevcollect.fortinet.net reslen=252
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=test.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0x00c0 domain=test.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] hostname_entry_insert()-143: af=2 domain=test.com
[worker 0] dns_send_response()-1542: domain=test.com reslen=228
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=gmail.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x001c local id: 0x001c domain=gmail.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0x001c domain=gmail.com pktlen=230
[worker 0] hostname_entry_insert()-143: af=2 domain=gmail.com
[worker 0] dns_send_response()-1542: domain=gmail.com reslen=230
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=x.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0xc089 domain=x.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0xc089 domain=x.com pktlen=346
[worker 0] hostname_entry_insert()-143: af=2 domain=x.com
[worker 0] dns_send_response()-1542: domain=x.com reslen=346
Hope it helps.
You can refer this article for setting a priority
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-determine-the-sequence-of-DNS-serve...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.