Fortinet black logo

CLI Reference

config system dns

config system dns

Configure DNS.

config system dns
    Description: Configure DNS.
    set cache-notfound-responses [disable|enable]
    set dns-cache-limit {integer}
    set dns-cache-ttl {integer}
    set dns-over-tls [disable|enable|...]
    set domain <domain1>, <domain2>, ...
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set ip6-primary {ipv6-address}
    set ip6-secondary {ipv6-address}
    set primary {ipv4-address}
    set retry {integer}
    set secondary {ipv4-address}
    set server-hostname <hostname1>, <hostname2>, ...
    set source-ip {ipv4-address}
    set ssl-certificate {string}
    set timeout {integer}
end

config system dns

Parameter

Description

Type

Size

Default

cache-notfound-responses

Enable/disable response from the DNS server when a record is not in cache.

option

-

disable

Option

Description

disable

Disable cache NOTFOUND responses from DNS server.

enable

Enable cache NOTFOUND responses from DNS server.

dns-cache-limit

Maximum number of records in the DNS cache.

integer

Minimum value: 0 Maximum value: 4294967295

5000

dns-cache-ttl

Duration in seconds that the DNS cache retains information.

integer

Minimum value: 60 Maximum value: 86400

1800

dns-over-tls

Enable/disable/enforce DNS over TLS.

option

-

disable

Option

Description

disable

Disable DNS over TLS.

enable

Use TLS for DNS queries if TLS is available.

enforce

Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.

domain <domain>

Search suffix list for hostname lookup.

DNS search domain list separated by space (maximum 8 domains).

string

Maximum length: 127

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

ip6-primary

Primary DNS server IPv6 address.

ipv6-address

Not Specified

::

ip6-secondary

Secondary DNS server IPv6 address.

ipv6-address

Not Specified

::

primary

Primary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

retry

Number of times to retry.

integer

Minimum value: 0 Maximum value: 5

2

secondary

Secondary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

server-hostname <hostname>

DNS server host name list.

DNS server host name list separated by space (maximum 4 domains).

string

Maximum length: 127

source-ip

IP address used by the DNS server as its source IP.

ipv4-address

Not Specified

0.0.0.0

ssl-certificate

Name of local certificate for SSL connections.

string

Maximum length: 35

Fortinet_Factory

timeout

DNS query timeout interval in seconds.

integer

Minimum value: 1 Maximum value: 10

5

config system dns

Configure DNS.

config system dns
    Description: Configure DNS.
    set cache-notfound-responses [disable|enable]
    set dns-cache-limit {integer}
    set dns-cache-ttl {integer}
    set dns-over-tls [disable|enable|...]
    set domain <domain1>, <domain2>, ...
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set ip6-primary {ipv6-address}
    set ip6-secondary {ipv6-address}
    set primary {ipv4-address}
    set retry {integer}
    set secondary {ipv4-address}
    set server-hostname <hostname1>, <hostname2>, ...
    set source-ip {ipv4-address}
    set ssl-certificate {string}
    set timeout {integer}
end

config system dns

Parameter

Description

Type

Size

Default

cache-notfound-responses

Enable/disable response from the DNS server when a record is not in cache.

option

-

disable

Option

Description

disable

Disable cache NOTFOUND responses from DNS server.

enable

Enable cache NOTFOUND responses from DNS server.

dns-cache-limit

Maximum number of records in the DNS cache.

integer

Minimum value: 0 Maximum value: 4294967295

5000

dns-cache-ttl

Duration in seconds that the DNS cache retains information.

integer

Minimum value: 60 Maximum value: 86400

1800

dns-over-tls

Enable/disable/enforce DNS over TLS.

option

-

disable

Option

Description

disable

Disable DNS over TLS.

enable

Use TLS for DNS queries if TLS is available.

enforce

Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.

domain <domain>

Search suffix list for hostname lookup.

DNS search domain list separated by space (maximum 8 domains).

string

Maximum length: 127

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

ip6-primary

Primary DNS server IPv6 address.

ipv6-address

Not Specified

::

ip6-secondary

Secondary DNS server IPv6 address.

ipv6-address

Not Specified

::

primary

Primary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

retry

Number of times to retry.

integer

Minimum value: 0 Maximum value: 5

2

secondary

Secondary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

server-hostname <hostname>

DNS server host name list.

DNS server host name list separated by space (maximum 4 domains).

string

Maximum length: 127

source-ip

IP address used by the DNS server as its source IP.

ipv4-address

Not Specified

0.0.0.0

ssl-certificate

Name of local certificate for SSL connections.

string

Maximum length: 35

Fortinet_Factory

timeout

DNS query timeout interval in seconds.

integer

Minimum value: 1 Maximum value: 10

5