FortiGate DNS server
You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain your entries (primary DNS server), or use it to refer to an outside source (secondary DNS server).
A local, primary DNS server requires that you to manually add all URL and IP address combinations. Using a primary DNS server for local services can minimize inbound and outbound traffic, and access time. Making it authoritative is not recommended, because IP addresses can change, and maintaining the list can become labor intensive.
A secondary DNS server refers to an alternate source to obtain URL and IP address combinations. This is useful when there is a primary DNS server where the entry list is maintained.
FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client. See DNS over TLS and HTTPS for details.
See Basic DNS server configuration example for a sample configuration.
By default, DNS server options are not available in the FortiGate GUI.
To enable DNS server options in the GUI:
-
Go to System > Feature Visibility.
-
Enable DNS Database in the Additional Features section.
-
Click Apply.
To configure the FortiGate as a DNS server in the GUI:
-
Go to Network > DNS Servers.
-
Enable DNS services on an interface:
-
In the DNS Service on Interface table, click Create New.
-
Configure the following:
Interface
Select the interface to enable DNS service on.
Mode
Set the DNS server mode:
-
Recursive: The system first checks for the requested record in the shadow DNS database. If the record is not found locally, the query is then forwarded to the system’s DNS server for further lookup. This mode ensures a comprehensive search for the requested record, utilizing both local and system DNS resources.
-
Non-Recursive: Search is restricted to the Public DNS database only. If the requested record is not found, the query will not be forwarded to the system’s DNS server. This mode is useful when you need to limit queries strictly to local resources.
-
Forward to System DNS: The local DNS database is bypassed and all queries are forwarded directly to the system’s DNS server. This is beneficial when you need to rely solely on system-level DNS resources for resolving queries.
DNS Filter
Apply a DNS filter profile to DNS server. This option is not available when Mode is Non-Recursive. See Applying DNS filter to FortiGate DNS server for more information.
DNS over HTTPS
Enable DNS over HTTPS (DoH). DoH is a method of performing DNS resolution over a secure HTTPS connection. See DNS over TLS and HTTPS for more information
-
-
Click OK.
-
-
Build the DNS database:
-
In the DNS Database table, click Create New.
-
Configure the following:
Type
Select the zone type:
-
Primary: The primary DNS zone, to manage entries directly.
-
Secondary: The secondary DNS zone, to import entries from other DNS zones. The purpose of a secondary DNS zone is to provide redundancy and load balancing. If the primary DNS server fails, the secondary DNS server can continue to resolve queries for the domain.
View
Select the zone view:
-
Shadow: This type of DNS zone is designed for both internal and external clients, allowing them to resolve DNS queries with the recursive DNS server on FortiGate. It creates a shadow of your public DNS records within your private network.
-
Public: This type of DNS zone is intended to serve external clients only, allowing them to resolve DNS queries with the non-recursive DNS server on FortiGate. It contains records that map the domain names of your publicly accessible services to their respective IP addresses. These records are propagated across the internet, allowing anyone in the world to find and connect to your services.
DNS Zone
The name of the DNS zone.
Domain Name
The domain name.
Hostname of Primary DNS
The domain name of the default DNS server for this zone. This option is only available when Type is Primary.
IP of Primary
The IP address of the primary DNS server. This option is only available when Type is Secondary.
Contact Email Address
The email address of the administrator for this zone. You can specify only the username, such as admin, or the full email address, such as admin@test.com. When using only a username, the domain of the email is the zone. This option is only available when Type is Primary.
TTL
The default time-to-live value for the entries of this DNS zone. This option is only available when Type is Primary.
Authoritative
Enabling Authoritative makes this server is the primary and sole source of information for this specific DNS zone. It prevents the FortiGate from seeking DNS records further upstream. Enabling authoritative is not recommended.
DNS Forwarder
-
-
Add DNS entries:
-
In the DNS Entries table, click Create New.
-
Configure the following:
Type
The resource record type. The availability of the subsequent settings vary depending on the selected type.
- Address (A): This is the host type. It maps a hostname to an IPv4 address in the DNS system, allowing a browser or other client to access a server using its domain name.
- Name Server (NS): This is the name server type. It indicates which DNS server is authoritative for that domain
- Canonical Name (CNAME): This is the canonical name type. It’s used to alias one name to another.
- Mail Exchange (MX): This is the mail exchange type. It routes email to a specified mail server based on the information in the record.
- IPv6 Address (AAAA): This is the IPv6 host type. Similar to the A record, but it maps a hostname to an IPv6 address.
- IPv4 Pointer (PTR): This is the pointer type for IPv4. It provides a mapping of the IP address to a hostname, essentially the reverse of what an A record does.
- IPv6 Pointer (PTR): This is the pointer type for IPv6. It functions similarly to the IPv4 PTR record, but for IPv6 addresses.
TTL
The time-to-live for this entry.
-
Click OK.
-
-
Click OK.
-
To configure the FortiGate as a DNS server in the CLI:
-
Configure DNS servers:
config system dns-server edit <name> set dnsfilter-profile {string} set doh {enable | disable} set mode {recursive | non-recursive | forward-only} next end
See config system dns-server in the CLI reference for a comprehensive list of commands.
-
Configure DNS database:
config system dns-database edit <name> set authoritative {enable | disable} set contact {string} set domain {string} set forwarder {user} set primary-name {string} set ttl {integer} set type {primary | secondary} set view {shadow | public } config dns-entry edit <id> set status {enable | disable} set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6} set ttl {integer} set ip {ipv4-address-any} set ipv6 {ipv6-address} set hostname {string} set canonical-name {string} next end next end
See config system dns-database in the CLI reference for a comprehensive list of commands.