Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

resolving Internal DNS internally

How can we set up FortiGate DNS to resolve all internal hosts internally?

At the moment, we've set one of the DNS servers to However, it seems that someone might have assigned the same internal DNS name externally, leading our internal DNS to mistakenly direct to external addresses.

Valued Contributor II

Hello @Chua_Augustine ,


You can use your Fortigate as a DNS server. If you use this feature you can manipulate DNS records. And also you can use your internal DNS server as a Forward DNS Server.




If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW

Thanks for the pointer. In my case, I have setup the DNS on FortiGate. However, all our internal IP/host resolved externally. How can I configure it to resolve internally, and prevent it from resolving through external DNS server. 


e.g. my hostname is When I browse to the site, instead of resolving it internally and point to the correct host, it resolved externally and point to a random website. Someone may have owned the 


How should I configure that all to resolve internally? Is it possible?


Hi Augustine

If I understand well I think your clients are pointing to external DNS server, so they send DNS requests to WAN (like

If your clients are DHCP clients then you may change DHCP server config to assign local DNS server to clients. Otherwise if you don't have DHCP server then just change it manually on your clients.

New Contributor II

Ah, got it! I've figured out another solution. I can utilize my registered domain name, All I need to do is setup a CNAME record and direct the URL to the host IP address and it should resolve the issue. 


On drankfe5's question, we haven't had any trouble accessing our DNS server from any network. It's been responding correctly until "someone" took ownership of the domain, causing traffic to route incorrectly.  We've configured our FortiGate firewall to point to both our internal DNS server and a public external DNS server like Strangely, when we try to access an internal host, instead of resolving locally on the primary DNS, it attempts to resolve externally. If I were to remove the secondary DNS server, would I still be able to resolve public websites on the internet?  


If you want to be strict about the DNS resolution, then set up the FortiGate DHCP to feed to the clients only the IPs of local DNS servers under "Specify" field (**or set up FG DNS server to local ones - both of them). The local DNS servers will return the IP of the local servers for the names defined locally, and relay the request to the public DNS servers defined (back through the FG, as pass-through traffic). This way you have a better control of what names are resolved. 

**setting up the FG DNS server to the local servers may not be the best practice. Check this article for details, and look into alt-primary / alt-secondary options (this will not work if the domain name is already used by someone else), and  also set server-select-method (default is least-rtt)

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
New Contributor II

Yes, thank you for the suggestion. We will try the solution. 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors