Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Internal DNS over IPSEC

I have a FortiGate 60D v6.0.0 build 0076 (GA)


interface v31


I have DNS configured 

config system dns-server
    edit "v31"
    edit "OSPF"
    edit "ssl.root"

(These are all set to recursive not sure why it doesn't show up in the config)


config system dns-database

    edit "Townhouse"

        set domain ""

        set source-ip

        config dns-entry

            edit 1

                set hostname "CLP-325W"

                set ip




        set primary-name ""

        set contact "REMOVED"


    edit "haven2.local"

        set domain "haven2.local"

        set authoritative disable

        set forwarder "" 

        set source-ip




It works from the v31 interface, the ospf interface and the ssl interface. However, I have an IPSEC tunnel (In policy Mode) that I can not get the remote side to be able to use the dns server. The policy is wide open

config firewall policy

    edit 8

        set name "IPSEC to H2"

        set uuid c5b4e622-67a8-51e8-f7ef-f1a2eec092f6

        set srcintf "v31"

        set dstintf "wan1"

        set srcaddr "all"

        set dstaddr " [DMZ_H2]" " [INTERNAL_H2]"

        set action ipsec

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set inbound enable

        set vpntunnel "h2"




Is there a way to allow the remote side ( and to be able to access the fortigate dns server on The remote side is set to forward however, even a simple nslookup on the remote side fails. I also can not use IPSEC in interface mode as the remote side does not support it. 

New Contributor

Ended up converting the IPSEC tunnel to Interface mode. Added the interface to the dns-server list and now everything works. Not sure how to get it to work in policy mode as there is no interface to add to the dns-server config.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors