This article describes the procedure to configure the proper DNS configuration when the WAN interface is configured in a VRF scheme, in order to get DNS resolution
FortiGate.
DNS configuration:
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set protocol cleartext dot
set ssl-certificate "Fortinet_Factory"
set server-hostname "globalsdns.fortinet.net"
set source-ip 1.2.3.4
end
Interface WAN member of a VRF:
config system interface
edit "wan1"
set vdom "root"
set vrf 20
set ip 1.2.3.4 255.255.255.252
set allowaccess ping https ssh http fgfm
set type physical
set alias "ISP1"
set role wan
set snmp-index 1
next
end
execute ping update.fortiguard.net
Unable to resolve hostname.
execute ping service.fortiguard.net
Unable to resolve hostname.
execute ping directregistration.fortinet.com
Unable to resolve hostname.
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set protocol cleartext dot
set ssl-certificate "Fortinet_Factory"
set server-hostname "globalsdns.fortinet.net"
set source-ip 1.2.3.4
set interface-select-method specify
set interface "wan1"
end
By specifying the outbound interface for wan1 in the DNS configuration, there is DNS resolution as expected on a VRF scheme:
execute ping update.fortiguard.net
PING fds1.fortinet.com (173.243.138.66): 56 data bytes
64 bytes from 173.243.138.66: icmp_seq=0 ttl=49 time=96.8 ms
64 bytes from 173.243.138.66: icmp_seq=1 ttl=49 time=96.8 ms
64 bytes from 173.243.138.66: icmp_seq=2 ttl=49 time=96.7 ms
64 bytes from 173.243.138.66: icmp_seq=3 ttl=49 time=96.7 ms
64 bytes from 173.243.138.66: icmp_seq=4 ttl=49 time=96.6 ms
--- fds1.fortinet.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 96.6/96.7/96.8 ms
execute ping service.fortiguard.net
PING guard.fortinet.net (208.184.237.61): 56 data bytes
64 bytes from 208.184.237.61: icmp_seq=0 ttl=49 time=74.6 ms
64 bytes from 208.184.237.61: icmp_seq=1 ttl=49 time=74.2 ms
64 bytes from 208.184.237.61: icmp_seq=2 ttl=49 time=74.7 ms
64 bytes from 208.184.237.61: icmp_seq=3 ttl=49 time=74.6 ms
64 bytes from 208.184.237.61: icmp_seq=4 ttl=49 time=74.0 ms
--- guard.fortinet.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 74.0/74.4/74.7 ms
execute ping directregistration.fortinet.com
PING directregistration.fortinet.com (63.137.229.3): 56 data bytes
64 bytes from 63.137.229.3: icmp_seq=0 ttl=49 time=60.3 ms
64 bytes from 63.137.229.3: icmp_seq=1 ttl=49 time=60.1 ms
64 bytes from 63.137.229.3: icmp_seq=2 ttl=49 time=60.0 ms
64 bytes from 63.137.229.3: icmp_seq=3 ttl=49 time=60.0 ms
64 bytes from 63.137.229.3: icmp_seq=4 ttl=49 time=60.1 ms
--- directregistration.fortinet.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 60.0/60.1/60.3 ms
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.