How VDOM-DNS works

Toshi_Esumi · ‎12-18-2023

I'm referring two KBs below for this issue:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuration-per-VDOM-DNS/ta-p/190815

But in reality with 7.0.13, the vdom-dns config accepts only alt-primary/alt-secondary unlike the 2nd KB describes.
With this, how is the DNS decided at the vdom (test-vdom)? Always ask global primary/secondary first? Then only when they're unreachable vdom-dns is used? Or only vdom-dns is used? I prefer the latter behavior but not sure.

Also, what protocol would be used if alt-primary/alt-secondary was chosen? Same as the primary/secondary?

fg40f-utm (global) # config sys dns
 
fg40f-utm (dns) # get
primary             : 96.45.45.45
secondary           : 96.45.46.46
protocol            : dot
ssl-certificate     : Fortinet_Factory
server-hostname     : "globalsdns.fortinet.net"
domain              :
ip6-primary         : ::
ip6-secondary       : ::
timeout             : 5
retry               : 2
dns-cache-limit     : 5000
dns-cache-ttl       : 1800
cache-notfound-responses: disable
source-ip           : 0.0.0.0
interface-select-method: auto
server-select-method: least-rtt
alt-primary         : 0.0.0.0
alt-secondary       : 0.0.0.0
log                 : disable
 
fg40f-utm (test-vdom) # config system vdom-dns
 
fg40f-utm (vdom-dns) # get
vdom-dns            : disable
alt-primary         : 0.0.0.0
alt-secondary       : 0.0.0.0

Toshi

Debbie_FTNT · ‎12-19-2023

Hey Toshi,

can you please try the following?
#config vdom
#edit <>
#config system vdom-dns

#set vdom-dns enable

#set primary/secondary [...]

This is from a 7.2.6 FGT; the 'set primary/secondary' options only become available after vdom-dns is enabled.

The alt-primary and alt-secondary settings were added in 7.0 as far as I can tell, and are used only if neither primary nor secondary DNS server can resolve the hostname (not as a failover for timeout, but explicitly when hostnames fail to resolve), and the protocol should be the same as for primary/secondary.
Use cases would be to have one set as internal DNS and one set as external DNS, for example.
EDIT: I found a KB on this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

Debbie_FTNT · ‎12-19-2023

Hey Toshi,

can you please try the following?
#config vdom
#edit <>
#config system vdom-dns

#set vdom-dns enable

#set primary/secondary [...]

This is from a 7.2.6 FGT; the 'set primary/secondary' options only become available after vdom-dns is enabled.

The alt-primary and alt-secondary settings were added in 7.0 as far as I can tell, and are used only if neither primary nor secondary DNS server can resolve the hostname (not as a failover for timeout, but explicitly when hostnames fail to resolve), and the protocol should be the same as for primary/secondary.
Use cases would be to have one set as internal DNS and one set as external DNS, for example.
EDIT: I found a KB on this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-alt-primary-alt-secondary-DNS-se...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Toshi_Esumi · ‎12-19-2023

Thanks Debibe as usual. Then we can't make 8.8.8.8/8.8.8.4 as alternative DNS if the primary/secondary's protocol:dot.

Toshi