Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    system dns

    system dns

    Use this command to configure the DNS servers that the FortiMail system will query.

    FortiMail systems require DNS servers for many features such as resolving fully qualified domain names (FQDN) into IP addresses, MX lookups, PTR lookups (reverse-dns-type {ldap-query | regexp | wildcard} and forged-ip-check {any | fail | pass}), FortiGuard connectivity, DKIM sender authentication, and more.

    Note

    For improved FortiMail performance, use DNS servers on your local network.

    Syntax

    config system dns

    set primary {<dns1_ipv4> | <dns1_ipv6>}

    set secondary {<dns2_ipv4> | <dns2_ipv6>}

    set protected-domain-dns-state {enable | disable}

    set protected-domain-dns-servers {{<dns_ipv4> | <dns_ipv6>} ...}

    set cache {enable | disable}

    set cache-min-ttl <seconds_int>

    set ptr-query-option {enable | disable | public-ip-only}

    set truncate-handling {disable | tcp-retry}

    end

    Variable

    Description

    Default

    cache {enable | disable}

    Enable to cache DNS query results to improve performance.

    Disable the DNS cache to free memory if the FortiMail system has high RAM usage.

    enable

    cache-min-ttl <seconds_int>

    Enter the time-to-live (TTL) until expiry of cached DNS records.

    Whether the TTL is applied to existing cache depends on the length of the existing TTL:

    • New TTL is longer — Apply the new TTL to existing cache entries, extending their TTL.

    • New TTL is shorter — Keep the old TTL on existing cache entries. Later, when the record is cached again, apply the new TTL to the new cache.

    300

    primary {<dns1_ipv4> | <dns1_ipv6>}

    Enter the IP address of the primary DNS server.

    Tooltip

    This setting is ignored if dns-override-status {enable | disable} is enabled.

    0.0.0.0

    protected-domain-dns-servers {{<dns_ipv4> | <dns_ipv6>} ...}

    Enter the IP address of a DNS server that you want to use to resolve protected domain and sub-domain names and the MX record (alternative domain). You can enter up to three addresses.

    0.0.0.0

    protected-domain-dns-state {enable | disable}

    Enable or disable DNS servers that are specifically used for protected domains and their sub-domains. This is useful if the protected domains’ MX record, A record, or AAAA record are resolved differently on internal DNS servers.

    This setting applies only if operating in gateway mode and transparent mode, and if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is mx-lookup or mx-lookup-alt-domain.

    Tooltip

    If you configure DNS servers for protected domains (such as example.com), FortiMail will also use the same DNS server for all queries that are in the form of sub.example.com, so that the recursive queries for the returned MX record or other records can be directed to the same server.

    disable

    ptr-query-option {enable | disable | public-ip-only}

    Enable to perform reverse DNS lookups on both private network IP addresses and public IP addresses.

    Tooltip

    DNS pointer record (PTR) queries may cause delays when the DNS server has no response. In this situation, you can disable the query.
    Note

    In some cases, the DNS server may not have PTR records for your private network’s IP addresses. Failure to contain records for those IP addresses may increase DNS query time. In this situation, you can query on public IP addresses only.

    public-ip-only

    secondary {<dns2_ipv4> | <dns2_ipv6>}

    Enter the IP address of the secondary DNS server.

    Tooltip

    This setting is ignored if dns-override-status {enable | disable} is enabled.

    0.0.0.0

    truncate-handling {disable | tcp-retry}

    Select how to handle truncated UDP replies of DNS queries, either:

    • disable — Do not retry.

    • tcp-try — Retry over TCP instead of UDP.

    tcp-retry

    Related topics

    domain

    system interface

    system ddns

    Previous
    Next

    system dns

    system dns

    Use this command to configure the DNS servers that the FortiMail system will query.

    FortiMail systems require DNS servers for many features such as resolving fully qualified domain names (FQDN) into IP addresses, MX lookups, PTR lookups (reverse-dns-type {ldap-query | regexp | wildcard} and forged-ip-check {any | fail | pass}), FortiGuard connectivity, DKIM sender authentication, and more.

    Note

    For improved FortiMail performance, use DNS servers on your local network.

    Syntax

    config system dns

    set primary {<dns1_ipv4> | <dns1_ipv6>}

    set secondary {<dns2_ipv4> | <dns2_ipv6>}

    set protected-domain-dns-state {enable | disable}

    set protected-domain-dns-servers {{<dns_ipv4> | <dns_ipv6>} ...}

    set cache {enable | disable}

    set cache-min-ttl <seconds_int>

    set ptr-query-option {enable | disable | public-ip-only}

    set truncate-handling {disable | tcp-retry}

    end

    Variable

    Description

    Default

    cache {enable | disable}

    Enable to cache DNS query results to improve performance.

    Disable the DNS cache to free memory if the FortiMail system has high RAM usage.

    enable

    cache-min-ttl <seconds_int>

    Enter the time-to-live (TTL) until expiry of cached DNS records.

    Whether the TTL is applied to existing cache depends on the length of the existing TTL:

    • New TTL is longer — Apply the new TTL to existing cache entries, extending their TTL.

    • New TTL is shorter — Keep the old TTL on existing cache entries. Later, when the record is cached again, apply the new TTL to the new cache.

    300

    primary {<dns1_ipv4> | <dns1_ipv6>}

    Enter the IP address of the primary DNS server.

    Tooltip

    This setting is ignored if dns-override-status {enable | disable} is enabled.

    0.0.0.0

    protected-domain-dns-servers {{<dns_ipv4> | <dns_ipv6>} ...}

    Enter the IP address of a DNS server that you want to use to resolve protected domain and sub-domain names and the MX record (alternative domain). You can enter up to three addresses.

    0.0.0.0

    protected-domain-dns-state {enable | disable}

    Enable or disable DNS servers that are specifically used for protected domains and their sub-domains. This is useful if the protected domains’ MX record, A record, or AAAA record are resolved differently on internal DNS servers.

    This setting applies only if operating in gateway mode and transparent mode, and if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is mx-lookup or mx-lookup-alt-domain.

    Tooltip

    If you configure DNS servers for protected domains (such as example.com), FortiMail will also use the same DNS server for all queries that are in the form of sub.example.com, so that the recursive queries for the returned MX record or other records can be directed to the same server.

    disable

    ptr-query-option {enable | disable | public-ip-only}

    Enable to perform reverse DNS lookups on both private network IP addresses and public IP addresses.

    Tooltip

    DNS pointer record (PTR) queries may cause delays when the DNS server has no response. In this situation, you can disable the query.
    Note

    In some cases, the DNS server may not have PTR records for your private network’s IP addresses. Failure to contain records for those IP addresses may increase DNS query time. In this situation, you can query on public IP addresses only.

    public-ip-only

    secondary {<dns2_ipv4> | <dns2_ipv6>}

    Enter the IP address of the secondary DNS server.

    Tooltip

    This setting is ignored if dns-override-status {enable | disable} is enabled.

    0.0.0.0

    truncate-handling {disable | tcp-retry}

    Select how to handle truncated UDP replies of DNS queries, either:

    • disable — Do not retry.

    • tcp-try — Retry over TCP instead of UDP.

    tcp-retry

    Related topics

    domain

    system interface

    system ddns

    Previous
    Next