This article describes that when configuring DNS as the probing protocol on SD-WAN Performance SLA health check, FortiGate will send DNS A-record queries to the configured DNS server.
Scope
FortiGate.
Solution
Use FortiGate’s System DNS ‘set system enable’ or specify a target DNS server.
Optionally, configure ‘dns-request-domain’ and ‘dns-match-ip’ (available under the CLI settings).
dns-request-domain<—– If not set, FortiGate queries example.com by default.
dns-match-ip<—– 0.0.0.0 by default, as long as FortiGate can query the DNS server with the ‘dns-request-domain’ and gets a DNS response, Performance SLA will be successful and the interface member state will show as alive.
Example:
config system sdwan set status enable config health-check edit "dns_sla" set server "8.8.8.8" set protocol dns set dns-request-domain "update.fortiguard.net" set dns-match-ip 12.34.97.16 set members 1 2 next end
Packet captured for the DNS as probe protocol from FortiGate(10.47.1.37) to the target server (8.8.8.8):
The DNS response from the target server includes 12.34.97.16 in the list of resolved IP addresses. So the performance SLA will show as alive because it is also the IP address set on the ‘dns-match-ip’.
If any of the resolved IP addresses from the DNS response list does not match the configured IP address on ‘dns-match-ip’, Performance SLA will fail and the interface’s member state will show as ‘dead’ member.
