Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How may one know which DNS servers a Fortigate is ...
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
How may one know which DNS servers a Fortigate is using?
I understand this sounds silly but in my DNS settings I have "Use Fortigate Servers" enabled but both the Primary and Secondary DNS servers are listed as unreachable. However, at the bottom there is a section which says Dynamically Obtained DNS Servers where two DNS server addresses are listed for my WAN1 interface. What happens as soon as my Fortigate is able to reach Fortinet DNS servers? Does it stop using the dynamically obtained DNS servers and is there a way to enforce the Fortigate to use the dynamic ones?
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I believe that it is based on the setting seen in the document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-determine-the-sequence-of-DNS-serve...
The FortiGate will just treat the dynamically obtained as additional DNS servers, probably 3rd and 4th in the list.
"Never trust a computer you can't throw out a window."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
As far as I know, the latest obteined DNS is the primary one, that means the one obteined dynamically becomes the primary.
In other hand forget about this "unreachable" flag and high latency indicator under menu Network > DNS, this doesn't indicate the communication between FortiGate and DNS server itself but indicator between clients and DNS server (if there is a request).
In case you have internal DNS server that also resolves public addresses then I think it is better to disable dynamic DNS it should be better, by disabling "Override internal DNS" at interface level.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@AEK , @johnathan is there a way for me to remove the Fortinet DNS addresses and set the Fortigate to use only the dynamically obtained DNS servers?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Yes you can.
Just go to menu Network > DNS, and set 0.0.0.0 for both primary and secondary DNS servers.
On the other hand and to correct myself, I just made some tests on a FG with 2 statically configured DNS servers + 2 dynamically obtained DNS servers, and I found that the statically configured DNS is always the one requested by FGT.
In the below output see that FG always send the DNS query to 96.45.45.45 only, which is the configured statically as primary DNS.
FGT # diag debug application dnsproxy -1
FGT # diagnose debug enable
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=ibm.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0xc035 domain=ibm.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0xc035 domain=ibm.com pktlen=398
[worker 0] hostname_entry_insert()-143: af=2 domain=ibm.com
[worker 0] dns_send_response()-1542: domain=ibm.com reslen=398
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=php.org
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0xc067 domain=php.org
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0xc067 domain=php.org pktlen=123
[worker 0] hostname_entry_insert()-143: af=2 domain=php.org
[worker 0] dns_send_response()-1542: domain=php.org reslen=123
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=globaldevcollect.fortinet.net
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0x40e8 domain=globaldevcollect.fortinet.net
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0x40e8 domain=globaldevcollect.fortinet.net pktlen=252
[worker 0] hostname_entry_insert()-143: af=2 domain=globaldevcollect.fortinet.net
[worker 0] dns_send_response()-1542: domain=globaldevcollect.fortinet.net reslen=252
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=test.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0x00c0 domain=test.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] hostname_entry_insert()-143: af=2 domain=test.com
[worker 0] dns_send_response()-1542: domain=test.com reslen=228
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=gmail.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x001c local id: 0x001c domain=gmail.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0x001c domain=gmail.com pktlen=230
[worker 0] hostname_entry_insert()-143: af=2 domain=gmail.com
[worker 0] dns_send_response()-1542: domain=gmail.com reslen=230
...
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=x.com
[worker 0] dns_send_resol_request()-1233: orig id: 0x0000 local id: 0xc089 domain=x.com
[worker 0] dns_find_best_server()-590: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_query_handle_response()-2576: vfid=0 real_vfid=0 vrf=0 id=0xc089 domain=x.com pktlen=346
[worker 0] hostname_entry_insert()-143: af=2 domain=x.com
[worker 0] dns_send_response()-1542: domain=x.com reslen=346
Hope it helps.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
You can refer this article for setting a priority
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-determine-the-sequence-of-DNS-serve...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Lost passowrd Fortigate 200F 35 Views
- Web Based access secret management using... 28 Views
- Tips and Shortcuts sharing 34 Views
- Problem with upgrading FortiGate from FortiManager 44 Views
- Trouble with LDAP authentication 35 Views
Labels
-
FortiGate
8,369 -
FortiClient
1,692 -
5.2
801 -
FortiManager
707 -
5.4
639 -
FortiAnalyzer
535 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
395 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
Logging
21 -
FortiPAM
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.