Created on 09-20-2023 02:50 PM Edited on 09-21-2023 06:10 AM By Jean-Philippe_P
This article describes FortiGate’s DNS query behavior when multiple DNS protocols are enabled.
FortiGate v7.0, v7.2, v7.4.
Multiple DNS protocols are enabled under Network -> DNS.
Fortigate DNS query behavior is influenced by the following configuration:
config system dns
set server-select-method { least-rtt | failover }
end
set server-select-method least-rtt (default setting)
If 'set server-select-method' is set to 'least-rtt', FortiGate will actively use both 'DNS over TLS', and 'DNS over HTTPS' when all DNS protocols are enabled.
Clear-text DNS is NOT used when enabled in combination with any other DNS protocols that offer encryption but if it is the only option enabled.
set server-select-method failover
If 'set server-select-method' is set to 'failover', FortiGate will build a list of available DNS servers and protocols. FortiGate queries the servers from the top of the list and then moves on to the next server in order to detect a DNS query failure with that particular server.
The DNS server list can be found by running the following command:
diagnose test application dnsproxy 3
When all DNS protocols are enabled, the list is built in this order
fortigate (global) # diagnose test application dnsproxy 3
DNS servers:
96.45.45.45:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.45.45:853 vrf=0 tz=0 encrypt=dot req=37 to=0 res=37 rt=7 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.45.45:443 vrf=0 tz=0 encrypt=doh req=1 to=4 res=0 rt=1454 ready=1 timer=0 probe=0 failure=3 last_failed=79736
96.45.46.46:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:853 vrf=0 tz=0 encrypt=dot req=80 to=0 res=80 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:443 vrf=0 tz=0 encrypt=doh req=1 to=3 res=0 rt=1360 ready=1 timer=0 probe=0 failure=3 last_failed=79612
FortiGate will query '96.45.45.45:53' as it is the first server in the list, when this server fails it moves on to the next server in line '96.45.45.45:853', then into '96.45.45.45:443'.
In this configuration, clear-text DNS is utilized first as the first server in the list.
As long as '96.45.45.45:53' continues to respond to queries, other servers and protocols will not be used.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.