Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

firewall dnstranslation

Use this command to add, edit or delete a DNS translation entry. If DNS translation is configured, the FortiGate unit rewrites the payload of outbound DNS query replies from internal DNS servers, replacing the resolved names’ internal network IP addresses with external network IP address equivalents, such as a virtual IP address on a FortiGate unit’s external network interface. This allows external network hosts to use an internal network DNS server for domain name resolution of hosts located on the internal network.

config firewall dnstranslation
    edit {id}
    # Configure DNS translation.
        set id {integer}   ID. range[0-4294967295]
        set src {ipv4 address}   IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.
        set dst {ipv4 address}   IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src.
        set netmask {ipv4 netmask}   If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall dnstranslation

Use this command to add, edit or delete a DNS translation entry. If DNS translation is configured, the FortiGate unit rewrites the payload of outbound DNS query replies from internal DNS servers, replacing the resolved names’ internal network IP addresses with external network IP address equivalents, such as a virtual IP address on a FortiGate unit’s external network interface. This allows external network hosts to use an internal network DNS server for domain name resolution of hosts located on the internal network.

config firewall dnstranslation
    edit {id}
    # Configure DNS translation.
        set id {integer}   ID. range[0-4294967295]
        set src {ipv4 address}   IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.
        set dst {ipv4 address}   IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src.
        set netmask {ipv4 netmask}   If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.
    next
end

Additional information

The following section is for those options that require additional explanation.