Fortinet black logo

Administration Guide

DNS translation

DNS translation

This setting allows you to translate a DNS resolved IP address to another IP address you specify on a per-policy basis.

For example, website A has a public address of 1.2.3.4. However, when your internal network users visit this website, you want them to connect to the internal host 192.168.3.4. You can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable. For example, if you want a public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.

A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).

Sample configuration

This configuration forces the DNS filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4. When internal network users perform a DNS query for www.example.com, they do not get the original www.example.com IP address of 93.184.216.34. Instead, it is replaced with 192.168.3.4.

To configure DNS translation in the GUI:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
  2. In the Static Domain Filter section, enable DNS Translation.
  3. Click Create New. The New DNS Translation pane opens.
  4. Enter the Original Destination (the domain's original IP address), the Translated Destination IP address, and the Network Mask.

  5. Click OK. The entry appears in the table.

  6. Configure the other settings as needed.
  7. Click OK.
To configure DNS translation in the CLI:
config dnsfilter profile
    edit "demo"
        set comment ''
        ...
        config dns-translation 
            edit 1
                set src 93.184.216.34
                set dst 192.168.3.4
                set netmask 255.255.255.255
            next
        end
        set redirect-portal 0.0.0.0
        set redirect-portal6 ::
        set youtube-restrict strict
    next
end
To check DNS translation using a command line tool before DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27030
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.example.com.             IN      A

;; ANSWER SECTION:
www.example.com.        33946   IN      A       93.184.216.34

;; AUTHORITY SECTION:
example.com.            18578   IN      NS      b.iana-servers.net.
example.com.            18578   IN      NS      a.iana-servers.net.

;; Received 97 B
;; Time 2019-04-08 10:47:26 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms
To check DNS translation using a command line tool after DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62060
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.example.com.             IN      A

;; ANSWER SECTION:
www.example.com.        32491   IN      A       192.168.3.4

;; AUTHORITY SECTION:
example.com.            17123   IN      NS      b.iana-servers.net.
example.com.            17123   IN      NS      a.iana-servers.net.

;; Received 97 B
;; Time 2019-04-08 11:11:41 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms

DNS translation network mask

The following is an example of DNS translation that uses a network mask:

To configure DNS translation in the CLI:
config dns-translation
        edit 1
           set src 93.184.216.34
           set dst 1.2.3.4
           set netmask 255.255.224.0
        next
    end
To check DNS translation using a command line tool after DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6736
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.example.com.             IN      A

;; ANSWER SECTION:
www.example.com.        29322   IN      A       1.2.24.34

;; AUTHORITY SECTION:
example.com.            13954   IN      NS      a.iana-servers.net.
example.com.            13954   IN      NS      b.iana-servers.net.

;; Received 97 B
;; Time 2019-04-08 12:04:30 PDT
;; From 172.16.95.16@53(UDP) in 2.0 ms

The binary arithmetic to convert 93.184.216.34 to 1.2.3.4 with the subnet mask is as follows:

  1. AND src(Original IP) with negative netmask (93.184.216.34 & ~255.255.224.0):

    01011101.10111000.11011000.00100010 93.184.216.34
    00000000.00000000.00011111.11111111 ~255.255.224.0
    -------------------------------------------------------- & 
    00000000.00000000.00011000.00100010 0.0.24.34
  2. AND dst(Translated IP) with netmask:

    00000001.00000010.00000011.00000100 1.2.3.4
    11111111.11111111.11100000.00000000 255.255.224.0
    -------------------------------------------------------- &
    00000001.00000010.00000000.00000000 1.2.0.0
  3. Final step 2 bitwise-OR 3:

    00000000.00000000.00011000.00100010 0.0.24.34
    00000001.00000010.00000000.00000000 1.2.0.0
    -------------------------------------------------------- |
    00000001.00000010.00011000.00100010 1.2.24.34

DNS translation

This setting allows you to translate a DNS resolved IP address to another IP address you specify on a per-policy basis.

For example, website A has a public address of 1.2.3.4. However, when your internal network users visit this website, you want them to connect to the internal host 192.168.3.4. You can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable. For example, if you want a public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.

A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).

Sample configuration

This configuration forces the DNS filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4. When internal network users perform a DNS query for www.example.com, they do not get the original www.example.com IP address of 93.184.216.34. Instead, it is replaced with 192.168.3.4.

To configure DNS translation in the GUI:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
  2. In the Static Domain Filter section, enable DNS Translation.
  3. Click Create New. The New DNS Translation pane opens.
  4. Enter the Original Destination (the domain's original IP address), the Translated Destination IP address, and the Network Mask.

  5. Click OK. The entry appears in the table.

  6. Configure the other settings as needed.
  7. Click OK.
To configure DNS translation in the CLI:
config dnsfilter profile
    edit "demo"
        set comment ''
        ...
        config dns-translation 
            edit 1
                set src 93.184.216.34
                set dst 192.168.3.4
                set netmask 255.255.255.255
            next
        end
        set redirect-portal 0.0.0.0
        set redirect-portal6 ::
        set youtube-restrict strict
    next
end
To check DNS translation using a command line tool before DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27030
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.example.com.             IN      A

;; ANSWER SECTION:
www.example.com.        33946   IN      A       93.184.216.34

;; AUTHORITY SECTION:
example.com.            18578   IN      NS      b.iana-servers.net.
example.com.            18578   IN      NS      a.iana-servers.net.

;; Received 97 B
;; Time 2019-04-08 10:47:26 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms
To check DNS translation using a command line tool after DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62060
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.example.com.             IN      A

;; ANSWER SECTION:
www.example.com.        32491   IN      A       192.168.3.4

;; AUTHORITY SECTION:
example.com.            17123   IN      NS      b.iana-servers.net.
example.com.            17123   IN      NS      a.iana-servers.net.

;; Received 97 B
;; Time 2019-04-08 11:11:41 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms

DNS translation network mask

The following is an example of DNS translation that uses a network mask:

To configure DNS translation in the CLI:
config dns-translation
        edit 1
           set src 93.184.216.34
           set dst 1.2.3.4
           set netmask 255.255.224.0
        next
    end
To check DNS translation using a command line tool after DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6736
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.example.com.             IN      A

;; ANSWER SECTION:
www.example.com.        29322   IN      A       1.2.24.34

;; AUTHORITY SECTION:
example.com.            13954   IN      NS      a.iana-servers.net.
example.com.            13954   IN      NS      b.iana-servers.net.

;; Received 97 B
;; Time 2019-04-08 12:04:30 PDT
;; From 172.16.95.16@53(UDP) in 2.0 ms

The binary arithmetic to convert 93.184.216.34 to 1.2.3.4 with the subnet mask is as follows:

  1. AND src(Original IP) with negative netmask (93.184.216.34 & ~255.255.224.0):

    01011101.10111000.11011000.00100010 93.184.216.34
    00000000.00000000.00011111.11111111 ~255.255.224.0
    -------------------------------------------------------- & 
    00000000.00000000.00011000.00100010 0.0.24.34
  2. AND dst(Translated IP) with netmask:

    00000001.00000010.00000011.00000100 1.2.3.4
    11111111.11111111.11100000.00000000 255.255.224.0
    -------------------------------------------------------- &
    00000001.00000010.00000000.00000000 1.2.0.0
  3. Final step 2 bitwise-OR 3:

    00000000.00000000.00011000.00100010 0.0.24.34
    00000001.00000010.00000000.00000000 1.2.0.0
    -------------------------------------------------------- |
    00000001.00000010.00011000.00100010 1.2.24.34