Fortinet black logo

Admin Guide (Standalone)

Home FortiExtender 7.2.3 Admin Guide (Standalone)
7.2.3
7.4.4
7.4.1
7.4.0
7.2.3
7.2.2
7.2.0
7.0.3
7.0.2
7.0.1

Force DNS request to go through DNSPROXY

Force DNS request to go through DNSPROXY

In 7.2.2, FortiExtender has replaced the system/dns/search-order option and the default dns(8.8.8.8), and uses two algorithms to decide the dns-server selection order:

  • least-rtt — In the dns-server selection pool, the round-trip time of each dns-server IP is now calculated and sorted from the shortest to the longest. FortiExtender picks from the shortest one.

  • failover — This algorithm is a relatively fixed order. The first pick does not change until it fails the first time. The order is primary dns > secondary dns > dynamic dns (learned from DHCP).

In addition, you now can configure system DNS parameters on the FortiExtender that include the following:

  • primary dns server

  • secondary dns server

  • timeout

  • retry attempts

  • maximum dns cache limit

  • dns cache ttl

  • cache not found response option,

  • source ip, and

  • server select method

### get system dns
“redesign this command to show all the DNS configuration info”
e.g. 
# get system dns
primary                                 : 208.91.112.53
secondary                             : 208.91.112.52
timeout                                 : 5
retry                                       : 3
dns-cache-limit                    : 5000
dns-cache-ttl                        : 1800
cache-notfound-responses: disable
source-ip                               : 0.0.0.0
server-select-method         : least-rtt
acquired servers        :
wan:   172.30.1.105
 
###config system dns
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
    set timeout 5
    set retry 3
    set dns-cache-limit 5000
    set dns-cache-ttl 1800
    set cache-notfound-responses disable
    set source-ip 0.0.0.0
    set server-select-method least-rtt
end
Field Description Mandatory Type Value Default value
primary Specify the primary static DNS server IP. Yes string IPV4 208.91.112.53
secondary Specify the secondary static DNS server IP. Yes string IPV4 208.91.112.52
timeout Specify the timeout in seconds. Yes number 0-10 5
retry Specify the number of retry attempts allowed for unsuccessful connections. Yes number 0-5 3
dns-cache-limit Specify the maximum amount of cache that can be stored. Yes number 0-4294967295 5000
dns-cache-ttl Specify the TTL of cached DNS value in seconds. Yes number 60-86400 1800
cache not-found response Specify whether or not to save the not-found response into cache. If enabled, no need to forward the not-found response to the DNS server in the future. Yes option disable/enable disable
source-ip Specify the IP address used by the DNS server as its source IP. Yes string IPV4 0.0.0.0

server-select-method

Specify how configured servers are prioritized.

  • least-rtt —In the dns-server selection pool, the round-trip time of each dns-server ip is —calculated and sorted from the shortest to the longest, picking from the shortest one.

  • failover — This algorithm is a relatively fixed order. The first pick doesn't change until it fails the first time. The order is primary dns -> secondary dns > dynamic dns (learned from DHCP).

Yes

option

least-rtt / failover

least-rtt

Previous
Next

Force DNS request to go through DNSPROXY

In 7.2.2, FortiExtender has replaced the system/dns/search-order option and the default dns(8.8.8.8), and uses two algorithms to decide the dns-server selection order:

  • least-rtt — In the dns-server selection pool, the round-trip time of each dns-server IP is now calculated and sorted from the shortest to the longest. FortiExtender picks from the shortest one.

  • failover — This algorithm is a relatively fixed order. The first pick does not change until it fails the first time. The order is primary dns > secondary dns > dynamic dns (learned from DHCP).

In addition, you now can configure system DNS parameters on the FortiExtender that include the following:

  • primary dns server

  • secondary dns server

  • timeout

  • retry attempts

  • maximum dns cache limit

  • dns cache ttl

  • cache not found response option,

  • source ip, and

  • server select method

### get system dns
“redesign this command to show all the DNS configuration info”
e.g. 
# get system dns
primary                                 : 208.91.112.53
secondary                             : 208.91.112.52
timeout                                 : 5
retry                                       : 3
dns-cache-limit                    : 5000
dns-cache-ttl                        : 1800
cache-notfound-responses: disable
source-ip                               : 0.0.0.0
server-select-method         : least-rtt
acquired servers        :
wan:   172.30.1.105
 
###config system dns
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
    set timeout 5
    set retry 3
    set dns-cache-limit 5000
    set dns-cache-ttl 1800
    set cache-notfound-responses disable
    set source-ip 0.0.0.0
    set server-select-method least-rtt
end
Field Description Mandatory Type Value Default value
primary Specify the primary static DNS server IP. Yes string IPV4 208.91.112.53
secondary Specify the secondary static DNS server IP. Yes string IPV4 208.91.112.52
timeout Specify the timeout in seconds. Yes number 0-10 5
retry Specify the number of retry attempts allowed for unsuccessful connections. Yes number 0-5 3
dns-cache-limit Specify the maximum amount of cache that can be stored. Yes number 0-4294967295 5000
dns-cache-ttl Specify the TTL of cached DNS value in seconds. Yes number 60-86400 1800
cache not-found response Specify whether or not to save the not-found response into cache. If enabled, no need to forward the not-found response to the DNS server in the future. Yes option disable/enable disable
source-ip Specify the IP address used by the DNS server as its source IP. Yes string IPV4 0.0.0.0

server-select-method

Specify how configured servers are prioritized.

  • least-rtt —In the dns-server selection pool, the round-trip time of each dns-server ip is —calculated and sorted from the shortest to the longest, picking from the shortest one.

  • failover — This algorithm is a relatively fixed order. The first pick doesn't change until it fails the first time. The order is primary dns -> secondary dns > dynamic dns (learned from DHCP).

Yes

option

least-rtt / failover

least-rtt

Previous
Next