Description
This article describes the procedure to configure the proper DNS configuration when the WAN interface is configured in a VRF scheme, in order to get DNS resolution
Scope
FortiGate.
Solution
- Even if there is the source-ip configuration on the DNS settings, if the WAN interface has VRF scheme configuration, there is no DNS resolution.
DNS configuration:
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set protocol cleartext dot
set ssl-certificate "Fortinet_Factory"
set server-hostname "globalsdns.fortinet.net"
set source-ip 1.2.3.4
end
Interface WAN member of a VRF:
config system interface
edit "wan1"
set vdom "root"
set vrf 20
set ip 1.2.3.4 255.255.255.252
set allowaccess ping https ssh http fgfm
set type physical
set alias "ISP1"
set role wan
set snmp-index 1
next
end
execute ping update.fortiguard.net
Unable to resolve hostname.
execute ping service.fortiguard.net
Unable to resolve hostname.
execute ping directregistration.fortinet.com
Unable to resolve hostname.
- To avoid this behavior, it is recommended to perform the following configuration in DNS:
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set protocol cleartext dot
set ssl-certificate "Fortinet_Factory"
set server-hostname "globalsdns.fortinet.net"
set source-ip 1.2.3.4
set interface-select-method specify
set interface "wan1"
end
By specifying the outbound interface for wan1 in the DNS configuration, there is DNS resolution as expected on a VRF scheme:
execute ping update.fortiguard.net
PING fds1.fortinet.com (173.243.138.66): 56 data bytes
64 bytes from 173.243.138.66: icmp_seq=0 ttl=49 time=96.8 ms
64 bytes from 173.243.138.66: icmp_seq=1 ttl=49 time=96.8 ms
64 bytes from 173.243.138.66: icmp_seq=2 ttl=49 time=96.7 ms
64 bytes from 173.243.138.66: icmp_seq=3 ttl=49 time=96.7 ms
64 bytes from 173.243.138.66: icmp_seq=4 ttl=49 time=96.6 ms
--- fds1.fortinet.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 96.6/96.7/96.8 ms
execute ping service.fortiguard.net
PING guard.fortinet.net (208.184.237.61): 56 data bytes
64 bytes from 208.184.237.61: icmp_seq=0 ttl=49 time=74.6 ms
64 bytes from 208.184.237.61: icmp_seq=1 ttl=49 time=74.2 ms
64 bytes from 208.184.237.61: icmp_seq=2 ttl=49 time=74.7 ms
64 bytes from 208.184.237.61: icmp_seq=3 ttl=49 time=74.6 ms
64 bytes from 208.184.237.61: icmp_seq=4 ttl=49 time=74.0 ms
--- guard.fortinet.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 74.0/74.4/74.7 ms
execute ping directregistration.fortinet.com
PING directregistration.fortinet.com (63.137.229.3): 56 data bytes
64 bytes from 63.137.229.3: icmp_seq=0 ttl=49 time=60.3 ms
64 bytes from 63.137.229.3: icmp_seq=1 ttl=49 time=60.1 ms
64 bytes from 63.137.229.3: icmp_seq=2 ttl=49 time=60.0 ms
64 bytes from 63.137.229.3: icmp_seq=3 ttl=49 time=60.0 ms
64 bytes from 63.137.229.3: icmp_seq=4 ttl=49 time=60.1 ms
--- directregistration.fortinet.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 60.0/60.1/60.3 ms
