You can configure and use FortiGate as a DNS server in your network. When you enable DNS Service on a specific interface, FortiGate will listen for DNS Service on that interface.
Depending on the configuration, DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or Forward to System DNS (server). For details on how to configure DNS Service on FortiGate, see the FortiGate System Configuration Guide.
You can apply a DNS Filter profile to Recursive Mode and Forward to System DNS Mode. This is the same as FortiGate working as a transparent DNS Proxy for DNS relay traffic.
- Go to Network > DNS Servers.
- In the DNS Service on Interface, click Create New and select an Interface.
The Recursive and Non-Recursive Mode is available only after you configure the DNS database.
config system dns-server edit "port10" <<<==== Enable DNS Serive on Interface set mode forward-only set dnsfilter-profile "demo" <<<==== apply DNS Filter Profile for the service next end
In this example, FortiGate port 10 is enabled as a DNS Service with the DNS Filter profile "demo". Suppose port 10 has an IP address 10.1.100.5 and DNS Filter profile "demo" is set to block category 52 (Information Technology), then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query. For example:
# dig @10.1.100.5 www.fortinet.com <<<====Specify FortiGate interface address as DNS Server ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52809 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.fortinet.com. IN A ;; ANSWER SECTION: www.fortinet.com. 60 IN A 220.127.116.11 <<<==== DNS Filter profile will filter the relay DNS traffic based on profile configuration. It blocked with redirect portal IP ;; Received 50 B ;; Time 2019-04-08 14:36:34 PDT ;; From 10.1.100.5@53(UDP) in 13.6 ms