Fortinet black logo

Administration Guide

FortiGate DNS server

You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain your entries (primary DNS server), or use it to refer to an outside source (secondary DNS server).

A local, primary DNS server requires that you to manually add all URL and IP address combinations. Using a primary DNS server for local services can minimize inbound and outbound traffic, and access time. Making it authoritative is not recommended, because IP addresses can change, and maintaining the list can become labor intensive.

A secondary DNS server refers to an alternate source to obtain URL and IP address combinations. This is useful when there is a primary DNS server where the entry list is maintained.

FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client. See DNS over TLS and HTTPS for details.

DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) are supported in proxy mode inspection for transparent and local-in explicit modes. See DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes for details.

See Basic DNS server configuration example for a sample configuration.

By default, DNS server options are not available in the FortiGate GUI.

To enable DNS server options in the GUI:
  1. Go to System > Feature Visibility.

  2. Enable DNS Database in the Additional Features section.

  3. Click Apply.

To configure the FortiGate as a DNS server in the GUI:
  1. Go to Network > DNS Servers.

  2. Enable DNS services on an interface:

    1. In the DNS Service on Interface table, click Create New.

    2. Configure the following:

      Interface

      Select the interface to enable DNS service on.

      Mode

      Set the DNS server mode:

      • Recursive: The system first checks for the requested record in the shadow DNS database. If the record is not found locally, the query is then forwarded to the system’s DNS server for further lookup. This mode ensures a comprehensive search for the requested record, utilizing both local and system DNS resources.

      • Non-Recursive: Search is restricted to the Public DNS database only. If the requested record is not found, the query will not be forwarded to the system’s DNS server. This mode is useful when you need to limit queries strictly to local resources.

      • Forward to System DNS: The local DNS database is bypassed and all queries are forwarded directly to the system’s DNS server. This is beneficial when you need to rely solely on system-level DNS resources for resolving queries.

      DNS Filter

      Apply a DNS filter profile to DNS server. This option is not available when Mode is Non-Recursive. See Applying DNS filter to FortiGate DNS server for more information.

      DNS over HTTPS

      Enable DNS over HTTPS (DoH). DoH is a method of performing DNS resolution over a secure HTTPS connection. See DNS over TLS and HTTPS for more information

    3. Click OK.

  3. Build the DNS database:

    1. In the DNS Database table, click Create New.

    2. Configure the following:

      Type

      Select the zone type:

      • Primary: The primary DNS zone, to manage entries directly.

      • Secondary: The secondary DNS zone, to import entries from other DNS zones. The purpose of a secondary DNS zone is to provide redundancy and load balancing. If the primary DNS server fails, the secondary DNS server can continue to resolve queries for the domain.

      View

      Select the zone view:

      • Shadow: This type of DNS zone is designed for both internal and external clients, allowing them to resolve DNS queries with the recursive DNS server on FortiGate. It creates a shadow of your public DNS records within your private network.

      • Public: This type of DNS zone is intended to serve external clients only, allowing them to resolve DNS queries with the non-recursive DNS server on FortiGate. It contains records that map the domain names of your publicly accessible services to their respective IP addresses. These records are propagated across the internet, allowing anyone in the world to find and connect to your services.

      • Proxy: This special type of shadow DNS zone is specifically designed for explicit proxy. It allows the explicit proxy to perform DNS lookups using a local database, providing faster and more efficient resolution of domain names. Internal users can experience improved performance and reduced latency when accessing websites and online services through the explicit proxy.

      DNS Zone

      The name of the DNS zone.

      Domain Name

      The domain name.

      Hostname of Primary DNS

      The domain name of the default DNS server for this zone. This option is only available when Type is Primary.

      IP of Primary

      The IP address of the primary DNS server. This option is only available when Type is Secondary.

      Contact Email Address

      The email address of the administrator for this zone. You can specify only the username, such as admin, or the full email address, such as admin@test.com. When using only a username, the domain of the email is the zone. This option is only available when Type is Primary.

      TTL

      The default time-to-live value for the entries of this DNS zone. This option is only available when Type is Primary.

      Authoritative

      Enabling Authoritative makes this server is the primary and sole source of information for this specific DNS zone. It prevents the FortiGate from seeking DNS records further upstream. Enabling authoritative is not recommended.

      DNS Forwarder

    3. Add DNS entries:

      1. In the DNS Entries table, click Create New.

      2. Configure the following:

        Type

        The resource record type. The availability of the subsequent settings vary depending on the selected type.

        • Address (A): This is the host type. It maps a hostname to an IPv4 address in the DNS system, allowing a browser or other client to access a server using its domain name.
        • Name Server (NS): This is the name server type. It indicates which DNS server is authoritative for that domain
        • Canonical Name (CNAME): This is the canonical name type. It’s used to alias one name to another.
        • Mail Exchange (MX): This is the mail exchange type. It routes email to a specified mail server based on the information in the record.
        • IPv6 Address (AAAA): This is the IPv6 host type. Similar to the A record, but it maps a hostname to an IPv6 address.
        • IPv4 Pointer (PTR): This is the pointer type for IPv4. It provides a mapping of the IP address to a hostname, essentially the reverse of what an A record does.
        • IPv6 Pointer (PTR): This is the pointer type for IPv6. It functions similarly to the IPv4 PTR record, but for IPv6 addresses.

        TTL

        The time-to-live for this entry.

      3. Click OK.

    4. Click OK.

To configure the FortiGate as a DNS server in the CLI:
  1. Configure DNS servers:

    config system dns-server
        edit <name>
            set dnsfilter-profile {string}
            set doh {enable | disable}
            set mode {recursive | non-recursive | forward-only}
        next
    end
    

    See config system dns-server in the CLI reference for a comprehensive list of commands.

  2. Configure DNS database:

    config system dns-database
        edit <name>
            set authoritative {enable | disable}
            set contact {string}
            set domain {string}
            set forwarder {user}
            set primary-name {string}
            set ttl {integer}
            set type {primary | secondary}
            set view {shadow | public | shadow-ztna | proxy}
            config dns-entry
                edit <id>
                    set status {enable | disable}
                    set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
                    set ttl {integer}
                    set ip {ipv4-address-any}
                    set ipv6 {ipv6-address}
                    set hostname {string}
                    set canonical-name {string}
                next
            end
        next
    end

    See config system dns-database in the CLI reference for a comprehensive list of commands.

You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain your entries (primary DNS server), or use it to refer to an outside source (secondary DNS server).

A local, primary DNS server requires that you to manually add all URL and IP address combinations. Using a primary DNS server for local services can minimize inbound and outbound traffic, and access time. Making it authoritative is not recommended, because IP addresses can change, and maintaining the list can become labor intensive.

A secondary DNS server refers to an alternate source to obtain URL and IP address combinations. This is useful when there is a primary DNS server where the entry list is maintained.

FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client. See DNS over TLS and HTTPS for details.

DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) are supported in proxy mode inspection for transparent and local-in explicit modes. See DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes for details.

See Basic DNS server configuration example for a sample configuration.

By default, DNS server options are not available in the FortiGate GUI.

To enable DNS server options in the GUI:
  1. Go to System > Feature Visibility.

  2. Enable DNS Database in the Additional Features section.

  3. Click Apply.

To configure the FortiGate as a DNS server in the GUI:
  1. Go to Network > DNS Servers.

  2. Enable DNS services on an interface:

    1. In the DNS Service on Interface table, click Create New.

    2. Configure the following:

      Interface

      Select the interface to enable DNS service on.

      Mode

      Set the DNS server mode:

      • Recursive: The system first checks for the requested record in the shadow DNS database. If the record is not found locally, the query is then forwarded to the system’s DNS server for further lookup. This mode ensures a comprehensive search for the requested record, utilizing both local and system DNS resources.

      • Non-Recursive: Search is restricted to the Public DNS database only. If the requested record is not found, the query will not be forwarded to the system’s DNS server. This mode is useful when you need to limit queries strictly to local resources.

      • Forward to System DNS: The local DNS database is bypassed and all queries are forwarded directly to the system’s DNS server. This is beneficial when you need to rely solely on system-level DNS resources for resolving queries.

      DNS Filter

      Apply a DNS filter profile to DNS server. This option is not available when Mode is Non-Recursive. See Applying DNS filter to FortiGate DNS server for more information.

      DNS over HTTPS

      Enable DNS over HTTPS (DoH). DoH is a method of performing DNS resolution over a secure HTTPS connection. See DNS over TLS and HTTPS for more information

    3. Click OK.

  3. Build the DNS database:

    1. In the DNS Database table, click Create New.

    2. Configure the following:

      Type

      Select the zone type:

      • Primary: The primary DNS zone, to manage entries directly.

      • Secondary: The secondary DNS zone, to import entries from other DNS zones. The purpose of a secondary DNS zone is to provide redundancy and load balancing. If the primary DNS server fails, the secondary DNS server can continue to resolve queries for the domain.

      View

      Select the zone view:

      • Shadow: This type of DNS zone is designed for both internal and external clients, allowing them to resolve DNS queries with the recursive DNS server on FortiGate. It creates a shadow of your public DNS records within your private network.

      • Public: This type of DNS zone is intended to serve external clients only, allowing them to resolve DNS queries with the non-recursive DNS server on FortiGate. It contains records that map the domain names of your publicly accessible services to their respective IP addresses. These records are propagated across the internet, allowing anyone in the world to find and connect to your services.

      • Proxy: This special type of shadow DNS zone is specifically designed for explicit proxy. It allows the explicit proxy to perform DNS lookups using a local database, providing faster and more efficient resolution of domain names. Internal users can experience improved performance and reduced latency when accessing websites and online services through the explicit proxy.

      DNS Zone

      The name of the DNS zone.

      Domain Name

      The domain name.

      Hostname of Primary DNS

      The domain name of the default DNS server for this zone. This option is only available when Type is Primary.

      IP of Primary

      The IP address of the primary DNS server. This option is only available when Type is Secondary.

      Contact Email Address

      The email address of the administrator for this zone. You can specify only the username, such as admin, or the full email address, such as admin@test.com. When using only a username, the domain of the email is the zone. This option is only available when Type is Primary.

      TTL

      The default time-to-live value for the entries of this DNS zone. This option is only available when Type is Primary.

      Authoritative

      Enabling Authoritative makes this server is the primary and sole source of information for this specific DNS zone. It prevents the FortiGate from seeking DNS records further upstream. Enabling authoritative is not recommended.

      DNS Forwarder

    3. Add DNS entries:

      1. In the DNS Entries table, click Create New.

      2. Configure the following:

        Type

        The resource record type. The availability of the subsequent settings vary depending on the selected type.

        • Address (A): This is the host type. It maps a hostname to an IPv4 address in the DNS system, allowing a browser or other client to access a server using its domain name.
        • Name Server (NS): This is the name server type. It indicates which DNS server is authoritative for that domain
        • Canonical Name (CNAME): This is the canonical name type. It’s used to alias one name to another.
        • Mail Exchange (MX): This is the mail exchange type. It routes email to a specified mail server based on the information in the record.
        • IPv6 Address (AAAA): This is the IPv6 host type. Similar to the A record, but it maps a hostname to an IPv6 address.
        • IPv4 Pointer (PTR): This is the pointer type for IPv4. It provides a mapping of the IP address to a hostname, essentially the reverse of what an A record does.
        • IPv6 Pointer (PTR): This is the pointer type for IPv6. It functions similarly to the IPv4 PTR record, but for IPv6 addresses.

        TTL

        The time-to-live for this entry.

      3. Click OK.

    4. Click OK.

To configure the FortiGate as a DNS server in the CLI:
  1. Configure DNS servers:

    config system dns-server
        edit <name>
            set dnsfilter-profile {string}
            set doh {enable | disable}
            set mode {recursive | non-recursive | forward-only}
        next
    end
    

    See config system dns-server in the CLI reference for a comprehensive list of commands.

  2. Configure DNS database:

    config system dns-database
        edit <name>
            set authoritative {enable | disable}
            set contact {string}
            set domain {string}
            set forwarder {user}
            set primary-name {string}
            set ttl {integer}
            set type {primary | secondary}
            set view {shadow | public | shadow-ztna | proxy}
            config dns-entry
                edit <id>
                    set status {enable | disable}
                    set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
                    set ttl {integer}
                    set ip {ipv4-address-any}
                    set ipv6 {ipv6-address}
                    set hostname {string}
                    set canonical-name {string}
                next
            end
        next
    end

    See config system dns-database in the CLI reference for a comprehensive list of commands.