Fortinet white logo
Fortinet white logo

CLI Reference

config global-dns-server policy

config global-dns-server policy

Use this command to configure a rulebase that matches traffic to DNS zones.

Traffic that matches both source and destination criteria is served by the policy. Traffic that does not match any policy is served by the DNS “general settings” configuration.

Before you begin:
  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have configured address objects, remote servers, DNS zones, and optional configuration objects you want to specify in your policy.
  • You must have read-write permission for global load balancing settings.

Syntax

config global-dns-server policy

edit <name>

set destination-address <datasource>

set dns64-list {<datasource> ...}

set dnssec-validate-status {enable|disable}

set forward {first | only}

set forwarders <datasource>

set recursion-status {enable|disable}

set response-rate-limit <datasource>

set source-address <datasource>

set zone-list {<datasource> ...}

next

end

destination-address

Address object to specify the destination match criteria.

dns64-list

Specify one or more DNS64 configurations to use when resolving IPv6 requests.

dnssec-validate-status

Enable/disable DNSSEC validation.

forward

DNS forwarding functionality requires recursion-status to be enabled.

Select from the following DNS forwarding options:

  • first—The DNS server queries the forwarder before doing its own DNS lookup.
  • only—Only queries the forwarder. Does not perform its own DNS lookups.

forwarders

If the DNS server zone has been configured as a forwarder, specify the remote DNS servers to which it forwards requests.

recursion-status

Enable/disable recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

Note: DNS forwarding functionality requires recursion-status to be enabled.

response-rate-limit

Specify a rate limit configuration object.

source-address

Address object to specify the source match criteria.

zone-list

Specify one or more zone configurations to serve DNS requests from matching traffic.

Example

FortiADC-VM (policy) # edit lan_policy

Add new entry 'lan_policy' for node 2236

FortiADC-VM (lan_policy) # get

source-address :

destination-address :

zone-list :

dns64-list :

recursion-status : enable

dnssec-status : disable

dnssec-validate-status: disable

forward : first

forwarders :

response-rate-limit :

FortiADC-VM (lan_policy) # set source-address campus

FortiADC-VM (lan_policy) # set destination-address any

FortiADC-VM (lan_policy) # set zone-list lan-zone

FortiADC-VM (lan_policy) # next

FortiADC-VM (policy) # edit wan_policy

Add new entry 'wan_policy' for node 2236

FortiADC-VM (wan_policy) # set source-address branch

FortiADC-VM (wan_policy) # set destination-address any

FortiADC-VM (wan_policy) # set zone-list wan-zone

FortiADC-VM (wan_policy) # end

FortiADC-VM # get global-dns-server policy lan_policy

source-address : campus

destination-address : any

zone-list : lan-zone

dns64-list :

recursion-status : enable

dnssec-status : disable

dnssec-validate-status: disable

forward : first

forwarders :

response-rate-limit :

FortiADC-VM # get global-dns-server policy wan_policy

source-address : branch

destination-address : any

zone-list : wan-zone

dns64-list :

recursion-status : enable

dnssec-status : disable

dnssec-validate-status: disable

forward : first

forwarders :

response-rate-limit :

config global-dns-server policy

config global-dns-server policy

Use this command to configure a rulebase that matches traffic to DNS zones.

Traffic that matches both source and destination criteria is served by the policy. Traffic that does not match any policy is served by the DNS “general settings” configuration.

Before you begin:
  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have configured address objects, remote servers, DNS zones, and optional configuration objects you want to specify in your policy.
  • You must have read-write permission for global load balancing settings.

Syntax

config global-dns-server policy

edit <name>

set destination-address <datasource>

set dns64-list {<datasource> ...}

set dnssec-validate-status {enable|disable}

set forward {first | only}

set forwarders <datasource>

set recursion-status {enable|disable}

set response-rate-limit <datasource>

set source-address <datasource>

set zone-list {<datasource> ...}

next

end

destination-address

Address object to specify the destination match criteria.

dns64-list

Specify one or more DNS64 configurations to use when resolving IPv6 requests.

dnssec-validate-status

Enable/disable DNSSEC validation.

forward

DNS forwarding functionality requires recursion-status to be enabled.

Select from the following DNS forwarding options:

  • first—The DNS server queries the forwarder before doing its own DNS lookup.
  • only—Only queries the forwarder. Does not perform its own DNS lookups.

forwarders

If the DNS server zone has been configured as a forwarder, specify the remote DNS servers to which it forwards requests.

recursion-status

Enable/disable recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

Note: DNS forwarding functionality requires recursion-status to be enabled.

response-rate-limit

Specify a rate limit configuration object.

source-address

Address object to specify the source match criteria.

zone-list

Specify one or more zone configurations to serve DNS requests from matching traffic.

Example

FortiADC-VM (policy) # edit lan_policy

Add new entry 'lan_policy' for node 2236

FortiADC-VM (lan_policy) # get

source-address :

destination-address :

zone-list :

dns64-list :

recursion-status : enable

dnssec-status : disable

dnssec-validate-status: disable

forward : first

forwarders :

response-rate-limit :

FortiADC-VM (lan_policy) # set source-address campus

FortiADC-VM (lan_policy) # set destination-address any

FortiADC-VM (lan_policy) # set zone-list lan-zone

FortiADC-VM (lan_policy) # next

FortiADC-VM (policy) # edit wan_policy

Add new entry 'wan_policy' for node 2236

FortiADC-VM (wan_policy) # set source-address branch

FortiADC-VM (wan_policy) # set destination-address any

FortiADC-VM (wan_policy) # set zone-list wan-zone

FortiADC-VM (wan_policy) # end

FortiADC-VM # get global-dns-server policy lan_policy

source-address : campus

destination-address : any

zone-list : lan-zone

dns64-list :

recursion-status : enable

dnssec-status : disable

dnssec-validate-status: disable

forward : first

forwarders :

response-rate-limit :

FortiADC-VM # get global-dns-server policy wan_policy

source-address : branch

destination-address : any

zone-list : wan-zone

dns64-list :

recursion-status : enable

dnssec-status : disable

dnssec-validate-status: disable

forward : first

forwarders :

response-rate-limit :