Having this same question. Running 6.0.3. We have our two AD based DNS IPs listed for DNS on the Gate with our internal domain indicated also. Guide indicates this will search internally for hosts first and then external. Our logs indicates this is what happens but of course all queries go through the internal DNS and they use forwarders (set to ISP DNS) for external lookups.
With this config, Fortiguard works and checks out via port 53 lookups.
We have a policy that restricts our AD DNS servers. Today we applied a DNS Filter policy to it as a way to get add'l DNS logging. Seems to be working fine, and FAZ logs show it is returning category information.
The confusion mentioned above is easy to encounter. Networking/DNS indicates
: "FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP."
Note: I would add that if you are using Active Directory, these settings should be your AD DNS IPs IF you want to be able to resolve internal hostnames in policies. Put your ISP DNS as forwarders on the internal AD DNS Servers. Security Profiles/DNS Filter indicates
: "When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups."
Using the following command via the CLI:
show full | grep -f sdns
I was able to confirm that yes, our Gate is configured to use the US FortiGuard server.
post edited by seadave - 2019/05/21 18:21:20