Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

system dns

Use this command to configure the IP addresses of the primary and secondary DNS servers that the FortiMail unit will query to resolve domain names into IP addresses.

Starting from 5.0.2 release, you can also configure up to three other DNS servers for protected domains’ (and their domain associations) MX record query only. This is useful if the protected domains’ MX record or A record are resolved differently on internal DNS servers. This feature is only applicable to gateway mode and transparent mode and when you select MX record as the relay type in domain settings. Note that if you configure DNS servers for protected domains (such as example.com), FortiMail will also use the same DNS server for all queries that are in the form of anysub.example.com, so that the recursive queries for the returned MX record (mx.example.com) or other records can be directed the the same server.

Syntax

config system dns

set cache {enable | disable}

set cache-min-ttl <time-in-seconds>

set primary <ipv4_address>

set ptr-query-option {enable | disable| public-ip-only}

set protected-domain-dns-servers <ipv4_address>

set protected-domain-dns-state {enable | disable}

set secondary <dns_ipv4>

set truncate-handling {disable | tcp-retry}

end

Variable

Description

Default

cache {enable | disable}

Enable to cache DNS query results to improve performance.

Disable the DNS cache to free memory if you are low on memory.

enable

cache-min-ttl <time-in-seconds>

Use this command to overwrite the TTL of the cached DNS records in case the TTL of the records is very short. However, the newly set TTL value is only effective if it is longer than the original TTL.

For example, if you set it to 30 seconds while the original TTLis 10 seconds, then the actual record TTL will become 30 seconds. If you set it to 30 seconds while the original TTL is 60 seconds, then the actual record TTL remains to be 60 seconds.

300

primary <ipv4_address>

Enter the IP address of the primary DNS server.

0.0.0.0

ptr-query-option {enable | disable| public-ip-only}

Enable to perform reverse DNS lookups on both private network IP addresses and public IP addresses.

However, PTR queries may cause delays when the DNS server has no response. In this situation, you may choose to disable the querying.

In some cases, the DNS server may not have PTR records for your private network’s IP addresses. Failure to contain records for those IP addresses may increase DNS query time. In this situation, you can choose to query on public IP addresses only.

public-ip-only

protected-domain-dns-servers <ipv4_address>

Enter the IP address of the DNS servers that you want to use to resolve the protected domain names (including their subdomains). You can enter up to 3 addresses/DNS servers.

0.0.0.0

protected-domain-dns-state {enable | disable}

Either enable or disable the protected domain DNS servers.

disable

secondary <dns_ipv4>

Enter the IP address of the secondary DNS serve.

0.0.0.0

truncate-handling {disable | tcp-retry}

Specify how to handle trunctated UDP replies of DNS queries: select either disable (meaning no retries) or tcp-try (meaning retry in TCP mode).

tcp-retry

Related topics

system ddns

system dns

Use this command to configure the IP addresses of the primary and secondary DNS servers that the FortiMail unit will query to resolve domain names into IP addresses.

Starting from 5.0.2 release, you can also configure up to three other DNS servers for protected domains’ (and their domain associations) MX record query only. This is useful if the protected domains’ MX record or A record are resolved differently on internal DNS servers. This feature is only applicable to gateway mode and transparent mode and when you select MX record as the relay type in domain settings. Note that if you configure DNS servers for protected domains (such as example.com), FortiMail will also use the same DNS server for all queries that are in the form of anysub.example.com, so that the recursive queries for the returned MX record (mx.example.com) or other records can be directed the the same server.

Syntax

config system dns

set cache {enable | disable}

set cache-min-ttl <time-in-seconds>

set primary <ipv4_address>

set ptr-query-option {enable | disable| public-ip-only}

set protected-domain-dns-servers <ipv4_address>

set protected-domain-dns-state {enable | disable}

set secondary <dns_ipv4>

set truncate-handling {disable | tcp-retry}

end

Variable

Description

Default

cache {enable | disable}

Enable to cache DNS query results to improve performance.

Disable the DNS cache to free memory if you are low on memory.

enable

cache-min-ttl <time-in-seconds>

Use this command to overwrite the TTL of the cached DNS records in case the TTL of the records is very short. However, the newly set TTL value is only effective if it is longer than the original TTL.

For example, if you set it to 30 seconds while the original TTLis 10 seconds, then the actual record TTL will become 30 seconds. If you set it to 30 seconds while the original TTL is 60 seconds, then the actual record TTL remains to be 60 seconds.

300

primary <ipv4_address>

Enter the IP address of the primary DNS server.

0.0.0.0

ptr-query-option {enable | disable| public-ip-only}

Enable to perform reverse DNS lookups on both private network IP addresses and public IP addresses.

However, PTR queries may cause delays when the DNS server has no response. In this situation, you may choose to disable the querying.

In some cases, the DNS server may not have PTR records for your private network’s IP addresses. Failure to contain records for those IP addresses may increase DNS query time. In this situation, you can choose to query on public IP addresses only.

public-ip-only

protected-domain-dns-servers <ipv4_address>

Enter the IP address of the DNS servers that you want to use to resolve the protected domain names (including their subdomains). You can enter up to 3 addresses/DNS servers.

0.0.0.0

protected-domain-dns-state {enable | disable}

Either enable or disable the protected domain DNS servers.

disable

secondary <dns_ipv4>

Enter the IP address of the secondary DNS serve.

0.0.0.0

truncate-handling {disable | tcp-retry}

Specify how to handle trunctated UDP replies of DNS queries: select either disable (meaning no retries) or tcp-try (meaning retry in TCP mode).

tcp-retry

Related topics

system ddns