Fortinet black logo

CLI Reference

config system dns

config system dns

Configure DNS.

config system dns
    Description: Configure DNS.
    set alt-primary {ipv4-address}
    set alt-secondary {ipv4-address}
    set cache-notfound-responses [disable|enable]
    set dns-cache-limit {integer}
    set dns-cache-ttl {integer}
    set domain <domain1>, <domain2>, ...
    set fqdn-cache-ttl {integer}
    set fqdn-min-refresh {integer}
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set ip6-primary {ipv6-address}
    set ip6-secondary {ipv6-address}
    set log [disable|error|...]
    set primary {ipv4-address}
    set protocol {option1}, {option2}, ...
    set retry {integer}
    set secondary {ipv4-address}
    set server-hostname <hostname1>, <hostname2>, ...
    set server-select-method [least-rtt|failover]
    set source-ip {ipv4-address}
    set ssl-certificate {string}
    set timeout {integer}
end

config system dns

Parameter

Description

Type

Size

Default

alt-primary

Alternate primary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

alt-secondary

Alternate secondary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

cache-notfound-responses

Enable/disable response from the DNS server when a record is not in cache.

option

-

disable

Option

Description

disable

Disable cache NOTFOUND responses from DNS server.

enable

Enable cache NOTFOUND responses from DNS server.

dns-cache-limit

Maximum number of records in the DNS cache.

integer

Minimum value: 0 Maximum value: 4294967295

5000

dns-cache-ttl

Duration in seconds that the DNS cache retains information.

integer

Minimum value: 60 Maximum value: 86400

1800

domain <domain>

Search suffix list for hostname lookup.

DNS search domain list separated by space (maximum 8 domains).

string

Maximum length: 127

fqdn-cache-ttl

FQDN cache time to live in seconds.

integer

Minimum value: 0 Maximum value: 86400

0

fqdn-min-refresh

FQDN cache minimum refresh time in seconds.

integer

Minimum value: 10 Maximum value: 3600

60

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

ip6-primary

Primary DNS server IPv6 address.

ipv6-address

Not Specified

::

ip6-secondary

Secondary DNS server IPv6 address.

ipv6-address

Not Specified

::

log

Local DNS log setting.

option

-

disable

Option

Description

disable

Disable.

error

Enable local DNS error log.

all

Enable local DNS log.

primary

Primary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

protocol

DNS transport protocols.

option

-

cleartext

Option

Description

cleartext

DNS over UDP/53, DNS over TCP/53.

dot

DNS over TLS/853.

doh

DNS over HTTPS/443.

retry

Number of times to retry.

integer

Minimum value: 0 Maximum value: 5

2

secondary

Secondary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

server-hostname <hostname>

DNS server host name list.

DNS server host name list separated by space (maximum 4 domains).

string

Maximum length: 127

server-select-method

Specify how configured servers are prioritized.

option

-

least-rtt

Option

Description

least-rtt

Select servers based on least round trip time.

failover

Select servers based on the order they are configured.

source-ip

IP address used by the DNS server as its source IP.

ipv4-address

Not Specified

0.0.0.0

ssl-certificate

Name of local certificate for SSL connections.

string

Maximum length: 35

Fortinet_Factory

timeout

DNS query timeout interval in seconds.

integer

Minimum value: 1 Maximum value: 10

5

config system dns

Configure DNS.

config system dns
    Description: Configure DNS.
    set alt-primary {ipv4-address}
    set alt-secondary {ipv4-address}
    set cache-notfound-responses [disable|enable]
    set dns-cache-limit {integer}
    set dns-cache-ttl {integer}
    set domain <domain1>, <domain2>, ...
    set fqdn-cache-ttl {integer}
    set fqdn-min-refresh {integer}
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set ip6-primary {ipv6-address}
    set ip6-secondary {ipv6-address}
    set log [disable|error|...]
    set primary {ipv4-address}
    set protocol {option1}, {option2}, ...
    set retry {integer}
    set secondary {ipv4-address}
    set server-hostname <hostname1>, <hostname2>, ...
    set server-select-method [least-rtt|failover]
    set source-ip {ipv4-address}
    set ssl-certificate {string}
    set timeout {integer}
end

config system dns

Parameter

Description

Type

Size

Default

alt-primary

Alternate primary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

alt-secondary

Alternate secondary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

cache-notfound-responses

Enable/disable response from the DNS server when a record is not in cache.

option

-

disable

Option

Description

disable

Disable cache NOTFOUND responses from DNS server.

enable

Enable cache NOTFOUND responses from DNS server.

dns-cache-limit

Maximum number of records in the DNS cache.

integer

Minimum value: 0 Maximum value: 4294967295

5000

dns-cache-ttl

Duration in seconds that the DNS cache retains information.

integer

Minimum value: 60 Maximum value: 86400

1800

domain <domain>

Search suffix list for hostname lookup.

DNS search domain list separated by space (maximum 8 domains).

string

Maximum length: 127

fqdn-cache-ttl

FQDN cache time to live in seconds.

integer

Minimum value: 0 Maximum value: 86400

0

fqdn-min-refresh

FQDN cache minimum refresh time in seconds.

integer

Minimum value: 10 Maximum value: 3600

60

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

ip6-primary

Primary DNS server IPv6 address.

ipv6-address

Not Specified

::

ip6-secondary

Secondary DNS server IPv6 address.

ipv6-address

Not Specified

::

log

Local DNS log setting.

option

-

disable

Option

Description

disable

Disable.

error

Enable local DNS error log.

all

Enable local DNS log.

primary

Primary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

protocol

DNS transport protocols.

option

-

cleartext

Option

Description

cleartext

DNS over UDP/53, DNS over TCP/53.

dot

DNS over TLS/853.

doh

DNS over HTTPS/443.

retry

Number of times to retry.

integer

Minimum value: 0 Maximum value: 5

2

secondary

Secondary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

server-hostname <hostname>

DNS server host name list.

DNS server host name list separated by space (maximum 4 domains).

string

Maximum length: 127

server-select-method

Specify how configured servers are prioritized.

option

-

least-rtt

Option

Description

least-rtt

Select servers based on least round trip time.

failover

Select servers based on the order they are configured.

source-ip

IP address used by the DNS server as its source IP.

ipv4-address

Not Specified

0.0.0.0

ssl-certificate

Name of local certificate for SSL connections.

string

Maximum length: 35

Fortinet_Factory

timeout

DNS query timeout interval in seconds.

integer

Minimum value: 1 Maximum value: 10

5