Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ccho
Staff
Staff

Created on ‎09-22-2023 12:12 AM Edited on ‎05-01-2024 10:18 PM By Community Manager

Article Id 275269

Technical Tip: FortiGate alt-primary, alt-secondary DNS server feature and configuration

Description

 

This article describes the FortiGate alt-primary DNS server feature and its configuration.

 

Scope

 

FortiOS 7.0, 7.2, 7.4.

 

Solution

 

alt-primary and alt-secondary servers are configurable from the CLI.

 

config system dns

    set alt-primary {ipv4-address}

    set alt-secondary {ipv4-address}

end

 

Alt-dns servers are alternative DNS servers for FortiGate queries under a specific condition.

 

FortiGate queries the configured alt-dns servers when FortiGate's primary/secondary DNS server returns a name resolution error (NXDOMAIN) for a name query.

 

A common usage case for alt-dns servers is to resolve internal domain names that cannot be resolved by the public DNS servers.

 

Example Workflow:

 

config system dns

    set primary 96.45.45.45

    set secondary 96.45.46.46

    set protocol dot

    set server-hostname "globalsdns.fortinet.net"

    set alt-primary 10.0.0.3

    set alt-secondary 10.0.0.4

end

 

  • FortiGate's primary and secondary DNS servers are configured as public DNS servers.
  • FortiGate must query www.test.lab.
  • DNS server selection takes place between primary and secondary DNS servers based on the 'set server-select-method' setting.
  • The query is sent to the chosen primary/secondary DNS server.
  • Public DNS servers return a name resolution error 'NXDOMAIN'.
  • Another server selection takes place between alt-primary and alt-secondary DNS servers.
  • The same query for www.test.lab is sent to the chosen alt-dns server.

 

For alt-dns servers to be utilized, the following conditions must be met.

 

  1. Receives a nxdomain from 'primary/secondary DNS'.
  2. Has alternate servers configured.
  3. Domain forwarding is not configured.
  4. Must be using DOH or DOT protocol.

 

Domain Forwarding: 

Technical Tip: DNS conditional forwarding.

 

The option 'set server-hostname' is not available when using the cleartext protocol.

 

FortiGate alt-dns query honors 'set server-select-method' configuration as well as 'protocol'.

 

config system dns
    set server-select-method { least-rtt | failover }

    set protocol {cleartext | dot | doh}
end

 

Related article:

Technical Tip: FortiGate DNS query preference when multiple DNS protocols are enabled.

2486
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.