Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Configuring DNS zones

The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS server settings, including:

  • Domain name and name server details.
  • Type—Whether the server is the master or a forwarder.
  • DNSSEC—Whether to use DNSSEC.
  • DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to the domain by the parent zone.

You can specify different DNS server settings for each zone you create. For example, the DNS server can be a master for one zone and a forwarder for another zone.

Before you begin:

  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have authority to create authoritative DNS zone records for your network.
  • You must have Read-Write permission for Global Load Balance settings.

After you have configured a DNS zone, you can select it in the DNS policy configuration.

To configure the DNS zone:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the Zone tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in DNS zone configuration.

DNS zone configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference the name in the global DNS policy configuration.

Note:

  • FortiADC supports third-party domain names.
  • After you initially save the configuration, you cannot edit the name.

Type

  • Master—The configuration contains the “master” copy of data for the zone and is the authoritative server for it.
  • Forward—The configuration allows you to apply DNS forwarding on a per-domain basis, overriding the forwarding settings in the “general” configuration.
  • FQDN Generate—The zone and its resource record is generated from the global load balancing framework.

Domain Name

The domain name must end with a period. For example: example.com.

DNS policy

Select the DNS policy you want the zone to use.

Forward Options

Forward

  • First—The DNS server queries the forwarder before doing its own DNS lookup.
  • Only—Only query the forwarder. Do not perform a DNS lookup.
  • Note: The internal server caches the results it learns from the forwarders, which optimizes subsequent lookups.

Forwarders

Select a remote server configuration object.

Master Options

TTL

The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.

The default is 86,400. The valid range is 0 to 2,147,483,647.

Negative TTL The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.

Responsible Mail

Username of the person responsible for this zone, such as hostmaster.example.com..

Note: Format is mailbox-name.domain.com. (remember the trailing dot). The format uses a dot, not the @ sign used in email addresses because @ has other uses in the zone file. Email, however, is sent to hostmaster@example.com.

Primary Server Name

Sets the server name in the SOA record.

Primary Server Address

The IP address of the primary server.

DNSSEC

Enable/Disable DNSSEC

Only when a DNS policy has been set, and DNESSC is enabled, will the Back Up DSSET Key, Regenerate DNSSEC KEY and Restore DNSSEC Key appear.

Back Up DSSET Key includes the following types of keys: 

  • KSK. Type characters for a string key. To regenerate the KSK, disable and re-enable DNSSEC.
  • ZSK. Type characters for a string key. To regenerate the ZSK, disable and re-enable DNSSEC.
  • DSSET. It is generated by the system if DNSSEC is enabled for the zone.

Restore DNSSEC Key should be a tar type file.

 

DSSET List

Select a DSSET configuration object. See Configuring the DSSET list.

Serial

Set the serial number of the zone. Default 10004. Range 1-4294967295.

Notify Status

Enable/Disable notify status. The IP in "also notify IP list" will be notified only when Notify Status is enabled.

Also Notify IP List

Set a list of IP addresses that will be notified if Notify Status is enabled.

Allow Transfer

Defines a list of IP addresses that are allowed to transfer the DNS zone information.

By default there will be "Any" and "None."

FQDN Record
FQDN Record table Displays a summary of all DNS RR for the zone, including generated and manually configured RR.

A/AAAA Record

Hostname

The hostname part of the FQDN, such as www.

Note: You can specify the @ symbol to denote the zone root. The value substituted for @ is the preceding $ORIGIN directive.

Type

  • IPv4
  • IPv6

Weight

Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently.

The default is 1. The valid range is 1-255.

Address

Specify the IP address of the virtual server.

Method

Weighted Round Robin is the only method supported.

CNAME Record

Alias

An alias name to another true or canonical domain name (the target). For instance, www.example.com is an alias for example.com.

Target

The true or canonical domain name. For instance, example.com.

NS Record

Domain Name

The domain for which the name server has authoritative answers, such as example.com.

Note: FortiADC supports third-party domain names.

Hostname

The hostname part of the FQDN, such as ns.

Type

  • IPv4
  • IPv6

Address

Specify the IP address of the name server.

MX Record

Hostname

The hostname part of the FQDN for a mail exchange server, such as mail.

Priority

Preference given to this RR among others at the same owner. Lower values have greater priority.

Type

  • IPv4
  • IPv6

Address

Specify the IP address.

TXT Record

Name

Hostname.

TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records.

Text

Comma-separated list of name=value pairs.

An example SPF record has the following form:

v=spf1 +mx a:colo.example.com/28 -all

If you complete the entry from the the Web UI, do not put the string in quotes. (If you complete the entry from the CLI, you do put the string in quotes.)

SRV Record

Host Name

The host name part of the FQDN, e.g., www.

Priority

A priority assigned to the target host: the lower the value, the higher the priority.

Weight

A relative weight assigned to a record among records of the same priority: the greater the value, the more weight it carries.

Port

The TCP or UDP port on which the service is provided.

Target Name

The canonical name of the machine providing the service.

PTR Record

PTR address

A PTR address, such as 10.168.192.in-addr.arpa. or 1

FQDN

A fully qualified domain name, such as "www.example.com".

CAA Record

Hostname

The hostname of CAA record

Value

Specify the value

Flag

Range 0-255. Default is 0.

Tag

Issue/Issuewild/lodef

Configuring DNS zones

The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS server settings, including:

  • Domain name and name server details.
  • Type—Whether the server is the master or a forwarder.
  • DNSSEC—Whether to use DNSSEC.
  • DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to the domain by the parent zone.

You can specify different DNS server settings for each zone you create. For example, the DNS server can be a master for one zone and a forwarder for another zone.

Before you begin:

  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have authority to create authoritative DNS zone records for your network.
  • You must have Read-Write permission for Global Load Balance settings.

After you have configured a DNS zone, you can select it in the DNS policy configuration.

To configure the DNS zone:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the Zone tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in DNS zone configuration.

DNS zone configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference the name in the global DNS policy configuration.

Note:

  • FortiADC supports third-party domain names.
  • After you initially save the configuration, you cannot edit the name.

Type

  • Master—The configuration contains the “master” copy of data for the zone and is the authoritative server for it.
  • Forward—The configuration allows you to apply DNS forwarding on a per-domain basis, overriding the forwarding settings in the “general” configuration.
  • FQDN Generate—The zone and its resource record is generated from the global load balancing framework.

Domain Name

The domain name must end with a period. For example: example.com.

DNS policy

Select the DNS policy you want the zone to use.

Forward Options

Forward

  • First—The DNS server queries the forwarder before doing its own DNS lookup.
  • Only—Only query the forwarder. Do not perform a DNS lookup.
  • Note: The internal server caches the results it learns from the forwarders, which optimizes subsequent lookups.

Forwarders

Select a remote server configuration object.

Master Options

TTL

The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.

The default is 86,400. The valid range is 0 to 2,147,483,647.

Negative TTL The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.

Responsible Mail

Username of the person responsible for this zone, such as hostmaster.example.com..

Note: Format is mailbox-name.domain.com. (remember the trailing dot). The format uses a dot, not the @ sign used in email addresses because @ has other uses in the zone file. Email, however, is sent to hostmaster@example.com.

Primary Server Name

Sets the server name in the SOA record.

Primary Server Address

The IP address of the primary server.

DNSSEC

Enable/Disable DNSSEC

Only when a DNS policy has been set, and DNESSC is enabled, will the Back Up DSSET Key, Regenerate DNSSEC KEY and Restore DNSSEC Key appear.

Back Up DSSET Key includes the following types of keys: 

  • KSK. Type characters for a string key. To regenerate the KSK, disable and re-enable DNSSEC.
  • ZSK. Type characters for a string key. To regenerate the ZSK, disable and re-enable DNSSEC.
  • DSSET. It is generated by the system if DNSSEC is enabled for the zone.

Restore DNSSEC Key should be a tar type file.

 

DSSET List

Select a DSSET configuration object. See Configuring the DSSET list.

Serial

Set the serial number of the zone. Default 10004. Range 1-4294967295.

Notify Status

Enable/Disable notify status. The IP in "also notify IP list" will be notified only when Notify Status is enabled.

Also Notify IP List

Set a list of IP addresses that will be notified if Notify Status is enabled.

Allow Transfer

Defines a list of IP addresses that are allowed to transfer the DNS zone information.

By default there will be "Any" and "None."

FQDN Record
FQDN Record table Displays a summary of all DNS RR for the zone, including generated and manually configured RR.

A/AAAA Record

Hostname

The hostname part of the FQDN, such as www.

Note: You can specify the @ symbol to denote the zone root. The value substituted for @ is the preceding $ORIGIN directive.

Type

  • IPv4
  • IPv6

Weight

Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently.

The default is 1. The valid range is 1-255.

Address

Specify the IP address of the virtual server.

Method

Weighted Round Robin is the only method supported.

CNAME Record

Alias

An alias name to another true or canonical domain name (the target). For instance, www.example.com is an alias for example.com.

Target

The true or canonical domain name. For instance, example.com.

NS Record

Domain Name

The domain for which the name server has authoritative answers, such as example.com.

Note: FortiADC supports third-party domain names.

Hostname

The hostname part of the FQDN, such as ns.

Type

  • IPv4
  • IPv6

Address

Specify the IP address of the name server.

MX Record

Hostname

The hostname part of the FQDN for a mail exchange server, such as mail.

Priority

Preference given to this RR among others at the same owner. Lower values have greater priority.

Type

  • IPv4
  • IPv6

Address

Specify the IP address.

TXT Record

Name

Hostname.

TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records.

Text

Comma-separated list of name=value pairs.

An example SPF record has the following form:

v=spf1 +mx a:colo.example.com/28 -all

If you complete the entry from the the Web UI, do not put the string in quotes. (If you complete the entry from the CLI, you do put the string in quotes.)

SRV Record

Host Name

The host name part of the FQDN, e.g., www.

Priority

A priority assigned to the target host: the lower the value, the higher the priority.

Weight

A relative weight assigned to a record among records of the same priority: the greater the value, the more weight it carries.

Port

The TCP or UDP port on which the service is provided.

Target Name

The canonical name of the machine providing the service.

PTR Record

PTR address

A PTR address, such as 10.168.192.in-addr.arpa. or 1

FQDN

A fully qualified domain name, such as "www.example.com".

CAA Record

Hostname

The hostname of CAA record

Value

Specify the value

Flag

Range 0-255. Default is 0.

Tag

Issue/Issuewild/lodef