A DNS server is a public service that converts symbolic node names to IP addresses. A Domain Name System (DNS) server implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.
The FortiGate unit includes default DNS server addresses. However, these should be changed to those provided by your Internet Service Provider. The defaults are DNS proxies and are not as reliable as those from your ISP.
Within FortiOS, there are two DNS configuration options; each provide a specific service, and can work together to provide a complete DNS solution.
Basic DNS queries are configured on interfaces that connect to the Internet. When a web site is requested, for example, the FortiGate unit will look to the configured DNS servers to provide the IP address to know which server to contact to complete the transaction.
DNS server addresses are configured by going to Network > DNS. Here you specify the DNS server addresses. Typically, these addresses are supplied by your ISP. An additional option is available if you have local Microsoft domains on the network, by entering a domain name in the Local Domain Name field.
In a situation where all three fields are configured, the FortiGate unit will first look to the local domain. If no match is found, a request is sent to the external DNS servers.
If virtual domains are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.
Additional DNS CLI configuration
Further options are available from the CLI with the command
config system dns. Within this command you can set the following commands:
dns-cache-limit- enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.
dns-cache-ttl- enables you to set how long entries remain in the cache in seconds, between 60 and 86,400 (24 hours).
cache-notfound-responses- when enabled, any DNS requests that are returned with NOT FOUND can be stored in the cache.
source-ip- enables you to define a dedicated IP address for communications with the DNS server.
If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS service to ensure external users and/or customers can always connect to your company firewall.
If you have a FortiGuard subscription, you can use FortiGuard as your DDNS server. To configure dynamic DNS in the web-based manager, go to Network > DNS, select Enable FortiGuard DDNS, and enter the relevant information for the interface communicating to the server, and which server to use, and relevant information.
If you do not have a FortiGuard subscription, or want to use an alternate server, you can configure dynamic DNS in the CLI use the commands below. Within the CLI you can configure a DDNS for each interface. Only the first configured port appears in the web‑based manager. Additional commands vary with the DDNS server you select.
config system ddns
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
You can also use FortiGuard (when subscribed) as a DDNS as well. To configure, use the CLI commands:
config system fortiguard