config global-dns-server general
Use this command to configure basic behavior for the DNS server.
The general settings configuration specifies the interfaces that listen for DNS requests. By default, the system listens on the IPv4 and IPv6 addresses of all configured interfaces for DNS requests.
The other settings in the general settings configuration are applied when traffic does not match a Global DNS policy.
From general settings, you can also enable DNS over HTTP/HTTPS (DoH) and DNS over TLS (DoT) to encrypt the DNS query.
Before you begin:
- You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
- You must have read-write permission for global load balancing settings.
- If enabling DNS over HTTPS/TLS, you must have prepared a dedicated DNS server domain and a certificate pair for your DNS over HTTPS/TLS service. For details, see the FortiADC Handbook topic on Configuring DNS over HTTPS and DNS over TLSConfiguring DNS over HTTPS and DNS over TLS
Syntax
config global-dns-server general
set dnssec-validate-status {enable|disable}
set forward {first|only}
set forwarders <datasource>
set gds-status {enable|disable}
set minimal-responses {enable|disable}
set ipv4-accessed-status {enable|disable}
set ipv6-accessed-status {enable|disable}
set listen-on-all-interface {enable|disable}
set listen-on-interface <datasource>
set dns-over-https {enable|disable}
set dns-over-https-port <integer>
set dns-over-https-listen-on-interface <datasource>
set dns-over-http {enable|disable}
set dns-over-http-port <integer>
set dns-over-http-listen-on-interface <datasource>
set dns-over-tls {enable|disable}
set dns-over-tls-port <integer>
set dns-over-tls-listen-on-interface <datasource>
set certificate <datasource>
set recursion-status {enable|disable}
set response-rate-limit <datasource>
set traffic-log {enable|disable}
set use-system-dns-server {enable|disable}
end
dnssec-validate-status |
Enable/disable DNSSEC validation. |
forward |
DNS forwarding functionality requires recursion-status to be enabled. Select from the following DNS forwarding options:
|
forwarders |
If the DNS server zone has been configured as a forwarder, specify the remote DNS server to which it forwards requests. |
gds-status |
Enable/disable the DNS server configuration. |
minimal-responses |
Enables/disables Minimal Responses to hide the Authority Section and Additional Section of DNS queries. |
ipv4-accessed-status |
Enable/disable listening for DNS requests on the interface IPv4 address. |
ipv6-accessed-status |
Enable/disable listening for DNS requests on the interface IPv6 address. |
listen-on-all-interface |
Enable listening on all interfaces. |
listen-on-interface |
The listen-on-interface option is available if listen-on-all-interface is disabled. If you do not listen on all interfaces, select one or more ports to listen on. |
dns-over-https |
Enable/disable DNS over HTTPS to encrypt DNS queries using the HTTPS protocol. |
dns-over-https-port |
The dns-over-https-port option is available if dns-over-https is enabled. Specify the port to listen on DNS over HTTPS. Default: 443 Range: 1-65535. |
dns-over-https-listen-on-interface |
The dns-over-https-listen-on-interface option is available if dns-over-https is enabled. Specify the interface(s) to listen on for DNS over HTTPS. |
dns-over-http |
Enable/disable DNS over HTTP to encrypt DNS queries using the HTTP protocol. |
dns-over-http-port |
The dns-over-http-port option is available if dns-over-http is enabled. Specify the port to listen on DNS over HTTP. Default: 80 Range: 1-65535. |
dns-over-http-listen-on-interface |
The dns-over-http-listen-on-interface option is available if dns-over-http is enabled. Specify the interface(s) to listen on for DNS over HTTP. |
dns-over-tls |
Enable/disable DNS over TLS to encrypt DNS queries using the TLS protocol. |
dns-over-tls-port |
The dns-over-tls-port option is available if dns-over-tls is enabled. Specify the port to listen on DNS over TLS. Default: 853 Range: 1-65535. |
dns-over-tls-listen-on-interface |
The dns-over-tls-listen-on-interface option is available if dns-over-tls is enabled. Specify the interface(s) to listen on for DNS queries for DNS over TLS. |
certificate |
The certificate option is available if dns-over-https or dns-over-tls is enabled. Specify the certificate object to apply for DNS over HTTPS or DNS over TLS. This certificate must refer to the DNS server domain or IP address. For details, see the FortiADC Handbook topic on Configuring DNS over HTTPS and DNS over TLSConfiguring DNS over HTTPS and DNS over TLS |
recursion-status |
Enable/disable recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer. Note: DNS forwarding functionality requires recursion-status to be enabled |
response-rate-limit |
Specify a rate limit configuration object. |
traffic-log |
Enable/disable logging. |
use-system-dns-server |
Forward DNS requests to the system DNS server instead of the forwarder. |
Example
FortiADC-VM # config global-dns-server general
FortiADC-VM (general) # get
gds-status : disable
minimal-responses : disable
recursion-status : enable
dnssec-status : disable
dnssec-validate-status : disable
ipv6-accessed-status : enable
ipv4-accessed-status : enable
traffic-log : disable
listen-on-all-interface : enable
forward : first
use-system-dns-server : enable
response-rate-limit :
dns-over-https : enable
dns-over-https-port : 443
dns-over-https-listen-on-interface : port2 port3
dns-over-http : enable
dns-over-http-port : 80
dns-over-http-listen-on-interface : port2 port3
dns-over-tls : enable
dns-over-tls-port : 853
dns-over-tls-listen-on-interface : port2 port3
certificate : dns_fortiadc-qa_com
FortiADC-VM (general) # set gds-status enable
FortiADC-VM (general) # end