Fortinet white logo
Fortinet white logo

CLI Reference

config global-dns-server zone

config global-dns-server zone

Use this command to configure DNS zone and resource records.

The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS server settings, including:

  • Domain name and name server details.
  • Type—Whether the server is the primary or a forwarder.
  • DNSSEC—Whether to use DNSSEC and the DNSSEC algorithm/key size.
  • DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to the domain by the parent zone.

You can specify different DNS server settings for each zone you create. For example, the DNS server can be a primary for one zone and a forwarder for another zone.

Before you begin:
  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have authority to create authoritative DNS zone records for your network.
  • You must have read-write permission for global load balancing settings.

After you have configured a DNS zone, you can select it in the DNS policy configuration.

Syntax

config global-dns-server zone

edit <name>

set type {forward|fqdn-generate|primary}

set domain-name <string>

set negative-ttl <integer>

set primary-server-ip <class_ip>

set primary-server-ip6 <class_ip>

set primary-server-name <string>

set responsible-mail <string>

set ttl <integer>

set forward-host {enable|disable}

set forward {first|only}

set forwarders <datasource>

set dnssec-status {enable|disable}

set dnssec-algorithm {ECDSAP256SHA256|ECDSAP384SHA384|NSEC3RSASHA1|RSASHA1|RSASHA256|RSASHA512}

set dnssec-keysize {1024|2048|4096}

set dsset-info <string>

set dssetinfo-filename <string>

set dsset-info-list <datasource>

set KSK <string>

set KSK-Filename <string>

set ZSK <string>

set ZSK-Filename <string>

config a-aaaa-record

edit <No.>

set hostname <string>

set source-type {ipv4 | ipv6}

set ip <class_ip>

set ip6 <class_ip>

set method wrr

set weight <integer>

next

end

config cname-record

edit <No.>

set alias <string>

set target <string>

next

end

config mx-record

edit <No.>

set domain-name <string>

set hostname <string>

set type {ipv4|ipv6}

set ip <class_ip>

set ip6 <class_ip>

set priority <integer>

next

end

config ns-record

edit <No.>

set domain-name <string>

set host-name <string>

set type {ipv4|ipv6}

set ip <class_ip>

set ip6 <class_ip>

next

end

config txt-record

edit <No.>

set name <string>

set text <name>=<value>,<name>=<value>

next

end

config srv-record

edit 1

set hostname 222

set target-server 222

next

end

config ptr-record

edit <No.>

set ptr-address <string>

set fqdn <string>

next

end

next

end

config global-dns-server zone

type

  • forward—The configuration allows you to apply DNS forwarding on a per-domain basis, overriding the forwarding settings in the “general” configuration.
  • fqdn-generate—The configuration has been generated by the global load balancing feature set. You cannot configure this type manually.
  • primary—The configuration contains the “primary” copy of data for the zone and is the authoritative server for it.

domain-name

The domain name must end with a period. For example: example.com.

negative-ttl

The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.

primary-server-ip

IP address of the primary server.

primary-server-ip6

IP address of the primary server.

primary-server-name

Sets the server name in the SOA record.

responsible-mail

Username of the person responsible for this zone, such as root.

ttl

The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.

The default is 86,400. The valid range is 1 to 2,147,483,647.

forward-host

Enable Forward Host to allow DNS queries to be forwarded to remote servers at the zone level. This is disabled by default.

This only requires the forwarded DNS query to match the zone and no other information is required to match such as the hostname.

forward

The forward option is available if forward-host is enabled.

  • first—The DNS server queries the forwarder before performing its own DNS lookup.
  • only—Only query the forwarder. Do not perform a DNS lookup.

forwarders

The forwarders option is available if forward-host is enabled.

Specify a remote server configuration object.

dnssec-status

Enable/disable DNSSEC.

The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups.

dnssec-algorithm

The dnssec-algorithm option is available if dnssec-status is enabled.

Select the cryptographic algorithm to use for authenticating DNSSEC.

  • ECDSAP256SHA256

  • ECDSAP384SHA384

  • NSEC3RSASHA1

  • RSASHA1

  • RSASHA256

  • RSASHA512

dnssec-keysize

The dnssec-keysize option is available if dnssec-status is enabled.

Select the key size (number of bits) for the encryption algorithm.

  • 1024 bits

  • 2048 bits

  • 4096 bits

Note:
Prior to FortiADC 7.4.0, the DNSSEC key size only supported 512 bits, so configurations carried over from previous versions can continue using the 512-bit key. However, we recommend updating to the new 1024/2048/4096 bit keys as the 512-bit key is less secure and is no longer supported in the latest BIND 9 version.

dsset-info

It is generated by the system if DNSSEC is enabled for the zone.

dssetinfo-filename

The file is generated by the system if DNSSEC is enabled for the zone. The file generated by the zone configuration editor is the one you give to any parent zone or the registrar of your domain.

The convention is dsset-<domain>, for example dsset-example.com.

dsset-info-list

Specify a DSSET info list configuration object.

KSK

Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone.

KSK-Filename

The file is generated by the system if DNSSEC is enabled for the zone.

To regenerate the KSK, disable DNSSEC and then re-enable DNSSEC.

ZSK

Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone.

ZSK-Filename

The file is generated by the system if DNSSEC is enabled for the zone.

To regenerate the ZSK, disable DNSSEC and then re-enable DNSSEC.

config a-aaaa-record

hostname

The hostname part of the FQDN, such as www.

Note:

  • You can specify the @ symbol to denote the zone root. The value substituted for @ is the preceding $ORIGIN directive.
  • A hostname can contain alphanumeric characters such as a–z, A–Z, and 0–9, but must NOT end with - (hyphen) or . (period).
  • You can also use * (wild card) in a domain name.

source-type

IPv4 or IPv6

ip

IP address of the virtual server.

ip6

IP address of the virtual server.

method

Weighted Round Robin is the only method supported.

weight

Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently.

The default is 1. The valid range is 1-255.

config cname-record

alias

An alias name to another true or canonical domain name (the target). For instance, www.example.com is an alias for example.com.

target

The true or canonical domain name. For instance, example.com.

config mx-record

hostname

The hostname part of the FQDN for a mail exchange server, such as mail.

type

IPv4 or IPv6

ip

IP address of the mail server.

ip6

IP address of the mail server.

priority

Preference given to this RR among others at the same owner. Lower values have greater priority.

config ns-record

domain-name

The domain for which the name server has authoritative answers, such as example.com.

host-name

The hostname part of the FQDN, such as ns.

type

IPv4 or IPv6

ip

IP address of the name server.

ip6

IP address of the name server.

config txt-record

name

Hostname.

TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records.

text

Comma-separated list of name=value pairs.

An example SPF record has the following form:

"v=spf1 +mx a:colo.example.com/28 -all"

If you complete the entry from the CLI, put the string in quotes. (If you complete the entry from the the Web UI, you do not put the string in quotes.)

config srv-record

hostname

The SRV Hostname.

target-server

The target server name (record).

config ptr-record

PTR Address

A PTR address, such as 10.168.192.in-addr.arpa. or 1.

If you use the number, the domain name is in the format "x.x.x.in-addr.arpa.".

FQDN

A fully qualified domain name, such as "www.example.com".

Example

FortiADC-VM # config global-dns-server zone

FortiADC-VM (zone) # edit wan-zone

Add new entry 'wan-zone' for node 2248

FortiADC-VM (wan-zone) # get

type : primary

domain-name :

dnssec-status : disable

ttl : 86400

responsible-mail :

negative-ttl : 3600

primary-server-name :

primary-server-ip : 0.0.0.0

primary-server-ip6 : ::

FortiADC-VM (wan-zone) # set domain-name www.fortiadc.com.

FortiADC-VM (wan-zone) # set responsible-mail root

FortiADC-VM (wan-zone) # set primary-server-name ns

FortiADC-VM (wan-zone) # set primary-server-ip 202.33.11.107

FortiADC-VM (wan-zone) # config a-aaaa-record

FortiADC-VM (a-aaaa-record) # edit 1

Add new entry '1' for node 2257

FortiADC-VM (1) # set hostname www

FortiADC-VM (1) # get

hostname : www

source-type : ipv4

weight : 1

ip : 0.0.0.0

method : wrr

FortiADC-VM (1) # set hostname www

FortiADC-VM (1) # set ip 202.33.11.1

FortiADC-VM (1) # end

FortiADC-VM (wan-zone) # end

config global-dns-server zone

config global-dns-server zone

Use this command to configure DNS zone and resource records.

The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS server settings, including:

  • Domain name and name server details.
  • Type—Whether the server is the primary or a forwarder.
  • DNSSEC—Whether to use DNSSEC and the DNSSEC algorithm/key size.
  • DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to the domain by the parent zone.

You can specify different DNS server settings for each zone you create. For example, the DNS server can be a primary for one zone and a forwarder for another zone.

Before you begin:
  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have authority to create authoritative DNS zone records for your network.
  • You must have read-write permission for global load balancing settings.

After you have configured a DNS zone, you can select it in the DNS policy configuration.

Syntax

config global-dns-server zone

edit <name>

set type {forward|fqdn-generate|primary}

set domain-name <string>

set negative-ttl <integer>

set primary-server-ip <class_ip>

set primary-server-ip6 <class_ip>

set primary-server-name <string>

set responsible-mail <string>

set ttl <integer>

set forward-host {enable|disable}

set forward {first|only}

set forwarders <datasource>

set dnssec-status {enable|disable}

set dnssec-algorithm {ECDSAP256SHA256|ECDSAP384SHA384|NSEC3RSASHA1|RSASHA1|RSASHA256|RSASHA512}

set dnssec-keysize {1024|2048|4096}

set dsset-info <string>

set dssetinfo-filename <string>

set dsset-info-list <datasource>

set KSK <string>

set KSK-Filename <string>

set ZSK <string>

set ZSK-Filename <string>

config a-aaaa-record

edit <No.>

set hostname <string>

set source-type {ipv4 | ipv6}

set ip <class_ip>

set ip6 <class_ip>

set method wrr

set weight <integer>

next

end

config cname-record

edit <No.>

set alias <string>

set target <string>

next

end

config mx-record

edit <No.>

set domain-name <string>

set hostname <string>

set type {ipv4|ipv6}

set ip <class_ip>

set ip6 <class_ip>

set priority <integer>

next

end

config ns-record

edit <No.>

set domain-name <string>

set host-name <string>

set type {ipv4|ipv6}

set ip <class_ip>

set ip6 <class_ip>

next

end

config txt-record

edit <No.>

set name <string>

set text <name>=<value>,<name>=<value>

next

end

config srv-record

edit 1

set hostname 222

set target-server 222

next

end

config ptr-record

edit <No.>

set ptr-address <string>

set fqdn <string>

next

end

next

end

config global-dns-server zone

type

  • forward—The configuration allows you to apply DNS forwarding on a per-domain basis, overriding the forwarding settings in the “general” configuration.
  • fqdn-generate—The configuration has been generated by the global load balancing feature set. You cannot configure this type manually.
  • primary—The configuration contains the “primary” copy of data for the zone and is the authoritative server for it.

domain-name

The domain name must end with a period. For example: example.com.

negative-ttl

The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.

primary-server-ip

IP address of the primary server.

primary-server-ip6

IP address of the primary server.

primary-server-name

Sets the server name in the SOA record.

responsible-mail

Username of the person responsible for this zone, such as root.

ttl

The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.

The default is 86,400. The valid range is 1 to 2,147,483,647.

forward-host

Enable Forward Host to allow DNS queries to be forwarded to remote servers at the zone level. This is disabled by default.

This only requires the forwarded DNS query to match the zone and no other information is required to match such as the hostname.

forward

The forward option is available if forward-host is enabled.

  • first—The DNS server queries the forwarder before performing its own DNS lookup.
  • only—Only query the forwarder. Do not perform a DNS lookup.

forwarders

The forwarders option is available if forward-host is enabled.

Specify a remote server configuration object.

dnssec-status

Enable/disable DNSSEC.

The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups.

dnssec-algorithm

The dnssec-algorithm option is available if dnssec-status is enabled.

Select the cryptographic algorithm to use for authenticating DNSSEC.

  • ECDSAP256SHA256

  • ECDSAP384SHA384

  • NSEC3RSASHA1

  • RSASHA1

  • RSASHA256

  • RSASHA512

dnssec-keysize

The dnssec-keysize option is available if dnssec-status is enabled.

Select the key size (number of bits) for the encryption algorithm.

  • 1024 bits

  • 2048 bits

  • 4096 bits

Note:
Prior to FortiADC 7.4.0, the DNSSEC key size only supported 512 bits, so configurations carried over from previous versions can continue using the 512-bit key. However, we recommend updating to the new 1024/2048/4096 bit keys as the 512-bit key is less secure and is no longer supported in the latest BIND 9 version.

dsset-info

It is generated by the system if DNSSEC is enabled for the zone.

dssetinfo-filename

The file is generated by the system if DNSSEC is enabled for the zone. The file generated by the zone configuration editor is the one you give to any parent zone or the registrar of your domain.

The convention is dsset-<domain>, for example dsset-example.com.

dsset-info-list

Specify a DSSET info list configuration object.

KSK

Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone.

KSK-Filename

The file is generated by the system if DNSSEC is enabled for the zone.

To regenerate the KSK, disable DNSSEC and then re-enable DNSSEC.

ZSK

Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone.

ZSK-Filename

The file is generated by the system if DNSSEC is enabled for the zone.

To regenerate the ZSK, disable DNSSEC and then re-enable DNSSEC.

config a-aaaa-record

hostname

The hostname part of the FQDN, such as www.

Note:

  • You can specify the @ symbol to denote the zone root. The value substituted for @ is the preceding $ORIGIN directive.
  • A hostname can contain alphanumeric characters such as a–z, A–Z, and 0–9, but must NOT end with - (hyphen) or . (period).
  • You can also use * (wild card) in a domain name.

source-type

IPv4 or IPv6

ip

IP address of the virtual server.

ip6

IP address of the virtual server.

method

Weighted Round Robin is the only method supported.

weight

Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently.

The default is 1. The valid range is 1-255.

config cname-record

alias

An alias name to another true or canonical domain name (the target). For instance, www.example.com is an alias for example.com.

target

The true or canonical domain name. For instance, example.com.

config mx-record

hostname

The hostname part of the FQDN for a mail exchange server, such as mail.

type

IPv4 or IPv6

ip

IP address of the mail server.

ip6

IP address of the mail server.

priority

Preference given to this RR among others at the same owner. Lower values have greater priority.

config ns-record

domain-name

The domain for which the name server has authoritative answers, such as example.com.

host-name

The hostname part of the FQDN, such as ns.

type

IPv4 or IPv6

ip

IP address of the name server.

ip6

IP address of the name server.

config txt-record

name

Hostname.

TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records.

text

Comma-separated list of name=value pairs.

An example SPF record has the following form:

"v=spf1 +mx a:colo.example.com/28 -all"

If you complete the entry from the CLI, put the string in quotes. (If you complete the entry from the the Web UI, you do not put the string in quotes.)

config srv-record

hostname

The SRV Hostname.

target-server

The target server name (record).

config ptr-record

PTR Address

A PTR address, such as 10.168.192.in-addr.arpa. or 1.

If you use the number, the domain name is in the format "x.x.x.in-addr.arpa.".

FQDN

A fully qualified domain name, such as "www.example.com".

Example

FortiADC-VM # config global-dns-server zone

FortiADC-VM (zone) # edit wan-zone

Add new entry 'wan-zone' for node 2248

FortiADC-VM (wan-zone) # get

type : primary

domain-name :

dnssec-status : disable

ttl : 86400

responsible-mail :

negative-ttl : 3600

primary-server-name :

primary-server-ip : 0.0.0.0

primary-server-ip6 : ::

FortiADC-VM (wan-zone) # set domain-name www.fortiadc.com.

FortiADC-VM (wan-zone) # set responsible-mail root

FortiADC-VM (wan-zone) # set primary-server-name ns

FortiADC-VM (wan-zone) # set primary-server-ip 202.33.11.107

FortiADC-VM (wan-zone) # config a-aaaa-record

FortiADC-VM (a-aaaa-record) # edit 1

Add new entry '1' for node 2257

FortiADC-VM (1) # set hostname www

FortiADC-VM (1) # get

hostname : www

source-type : ipv4

weight : 1

ip : 0.0.0.0

method : wrr

FortiADC-VM (1) # set hostname www

FortiADC-VM (1) # set ip 202.33.11.1

FortiADC-VM (1) # end

FortiADC-VM (wan-zone) # end