config global-dns-server policy
Use this command to configure a rulebase that matches traffic to DNS zones.
Traffic that matches both source and destination criteria is served by the policy. Traffic that does not match any policy is served by the DNS “general settings” configuration.
Before you begin:
- You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
- You must have configured address objects, remote servers, DNS zones, and optional configuration objects you want to specify in your policy.
- You must have read-write permission for global load balancing settings.
Syntax
config global-dns-server policy
edit <name>
set destination-address <datasource>
set dns64-list {<datasource> ...}
set dnssec-validate-status {enable|disable}
set forward {first | only}
set forwarders <datasource>
set recursion-status {enable|disable}
set response-rate-limit <datasource>
set source-address <datasource>
set zone-list {<datasource> ...}
next
end
destination-address |
Address object to specify the destination match criteria. |
dns64-list |
Specify one or more DNS64 configurations to use when resolving IPv6 requests. |
dnssec-validate-status |
Enable/disable DNSSEC validation. |
forward |
|
forwarders |
If the DNS server zone has been configured as a forwarder, specify the remote DNS servers to which it forwards requests. |
recursion-status |
Enable/disable recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer. |
response-rate-limit |
Specify a rate limit configuration object. |
source-address |
Address object to specify the source match criteria. |
zone-list |
Specify one or more zone configurations to serve DNS requests from matching traffic. |
Example
FortiADC-VM (policy) # edit lan_policy
Add new entry 'lan_policy' for node 2236
FortiADC-VM (lan_policy) # get
source-address :
destination-address :
zone-list :
dns64-list :
recursion-status : enable
dnssec-status : disable
dnssec-validate-status: disable
forward : first
forwarders :
response-rate-limit :
FortiADC-VM (lan_policy) # set source-address campus
FortiADC-VM (lan_policy) # set destination-address any
FortiADC-VM (lan_policy) # set zone-list lan-zone
FortiADC-VM (lan_policy) # next
FortiADC-VM (policy) # edit wan_policy
Add new entry 'wan_policy' for node 2236
FortiADC-VM (wan_policy) # set source-address branch
FortiADC-VM (wan_policy) # set destination-address any
FortiADC-VM (wan_policy) # set zone-list wan-zone
FortiADC-VM (wan_policy) # end
FortiADC-VM # get global-dns-server policy lan_policy
source-address : campus
destination-address : any
zone-list : lan-zone
dns64-list :
recursion-status : enable
dnssec-status : disable
dnssec-validate-status: disable
forward : first
forwarders :
response-rate-limit :
FortiADC-VM # get global-dns-server policy wan_policy
source-address : branch
destination-address : any
zone-list : wan-zone
dns64-list :
recursion-status : enable
dnssec-status : disable
dnssec-validate-status: disable
forward : first
forwarders :
response-rate-limit :