Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ccho
Staff
Staff

Created on ‎09-20-2023 02:50 PM Edited on ‎09-21-2023 06:10 AM By Moderator

Article Id 274940

Technical Tip: FortiGate DNS query preference when multiple DNS protocols are enabled

Description

 

This article describes FortiGate’s DNS query behavior when multiple DNS protocols are enabled.

 

Scope

 

FortiGate v7.0, v7.2, v7.4.

 

Solution
 

Multiple DNS protocols are enabled under Network -> DNS.

 

ccho_0-1695245055687.png

 

Fortigate DNS query behavior is influenced by the following configuration:

 

config system dns
    set server-select-method { least-rtt | failover }
end

 

set server-select-method least-rtt (default setting)


If 'set server-select-method' is set to 'least-rtt', FortiGate will actively use both 'DNS over TLS', and 'DNS over HTTPS' when all DNS protocols are enabled.


Clear-text DNS is NOT used when enabled in combination with any other DNS protocols that offer encryption but if it is the only option enabled.

 

set server-select-method failover


If 'set server-select-method' is set to 'failover', FortiGate will build a list of available DNS servers and protocols. FortiGate queries the servers from the top of the list and then moves on to the next server in order to detect a DNS query failure with that particular server.

 

The DNS server list can be found by running the following command:


diagnose test application dnsproxy 3

 

When all DNS protocols are enabled, the list is built in this order


fortigate (global) # diagnose test application dnsproxy 3
DNS servers:
96.45.45.45:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.45.45:853 vrf=0 tz=0 encrypt=dot req=37 to=0 res=37 rt=7 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.45.45:443 vrf=0 tz=0 encrypt=doh req=1 to=4 res=0 rt=1454 ready=1 timer=0 probe=0 failure=3 last_failed=79736
96.45.46.46:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:853 vrf=0 tz=0 encrypt=dot req=80 to=0 res=80 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:443 vrf=0 tz=0 encrypt=doh req=1 to=3 res=0 rt=1360 ready=1 timer=0 probe=0 failure=3 last_failed=79612

 

FortiGate will query '96.45.45.45:53' as it is the first server in the list, when this server fails it moves on to the next server in line '96.45.45.45:853', then into '96.45.45.45:443'.


In this configuration, clear-text DNS is utilized first as the first server in the list.

As long as '96.45.45.45:53' continues to respond to queries, other servers and protocols will not be used.

1151
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.