FortiOS 6.0 Online Help Link FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link

DNS

A Domain Name System (DNS) server is a public service that converts symbolic node names to IP addresses. A DNS server implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with their computer IP addresses. This allows you to use readable locations, such as fortinet.com, when you browse the Internet. FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.

FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP.

Within FortiOS, there are two DNS configuration options. Each option provides a specific service and both options can work together to provide a complete DNS solution.

DNS settings

You configure basic DNS queries on interfaces that connect to the Internet. When a user requests a website, FortiGate looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to complete the transaction.

You configure DNS server addresses by selecting Network > DNS, and then specifying the DNS server addresses. These addresses are typically supplied by your ISP. If you have local Microsoft domains on the network, you can enter a domain name in the Local Domain Name field.

In a situation where all three fields are configured, FortiGate first looks to the local domain. If no match is found, FortiGate sends a request to the external DNS servers.

If virtual domains (VDOM) are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.

Additional DNS CLI configuration

Additional DNS configuration options are available in the CLI, using the config system dns command. Within this command, you can also set the following commands:

Command Description
dns-cache-limit Set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.
dns-cache-ttl Set how long entries remain in the cache, in seconds. Possible values are 60 to 86400 (default is 24 hours).
cache-notfound-responses When you enable this, any DNS requests that are returned with NOT FOUND can be stored in the cache.
source-ip Define a dedicated IP address for communications with the DNS server.

DDNS

If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

You can configure FortiGuard as the DDNS server, in the FortiGate GUI or CLI.

To configure FortiGuard as the DDNS server in the FortiGate GUI, select Network > DNS and enable FortiGuard DDNS. Then select the interface with the dynamic connection, which DDNS server you have an account with, your domain name, and account information. If your DDNS server is not on the list, there is a generic option where you can provide your DDNS server information.

To configure FortiGuard as the DDNS server in the FortiGate CLI, use the following CLI commands:

config system fortiguard

set ddns-server-ip

set ddns-server-port

end

 

 

If you do not have a FortiGuard subscription or want to use a different DDNS server, you can configure DDNS in the CLI. You can configure a DDNS for each interface. Only the first configured port appears in the FortiGate GUI. Additional commands vary depending on the DDNS server you select. Use the following CLI commands:

config system ddns

edit <DDNS_ID>

set monitor-interface <external_interface>

set ddns-server <ddns_server_selection>

end

Configuring FortiGate to refresh DDNS IP addresses

You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured. Use the following CLI commands:

config system ddns

edit <1>

set ddns-server FortiGuardDDNS

set use-public-ip enable

set update-interval seconds

end

The possible values for update-interval are 60 to 2592000 seconds, and the default is 300 seconds.

TLS support for DDNS updates

When cleartext is disabled, FortiGate uses the SSL connection to send and receive Dynamic DNS services (DDNS) updates.

To disable cleartext, use the following CLI commands:

config system ddns

set clear-text disable

end

 

 

 

The ssl-certificate name can also be set in the same location using the command:

set ssl-certificate <cert_name>

DDNS update override for DHCP

DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDS update of the AA field every time, even if the DHCP client does not request it. This allows the support of the allow/ignore/deny client-updates options.

You can enable DDNS update override, using the following CLI commands:

config system dhcp server

edit <0>

set ddns-update_override enable

end

FortiDDNS registration to a public IP address

Fortinet's Dynamic DNS services (FortiDDNS) can be registered to a public IP address even if the FortiGate model does not have any physical interfaces on the Internet. This applies to when FortiGate is behind other networking devices that are employing NAT. You can configure this in the GUI and the CLI.

DNS servers

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (master DNS server) or use it as a jumping point, where the server refers to an outside source (slave DNS server). A local master DNS server works similarly to the DNS server addresses configured in Network > DNS, but you must manually add all entries. This allows you to add a local DNS server to include specific URL and IP address combinations.

The DNS server options are not visible in the FortiGate GUI, by default. To enable the server, select System > Feature Visibility, select DNS Database, and select Apply.

While a master DNS server is an easy method to include regularly used addresses to save on going to an outside DNS server, it is not recommended to make it the authoritative DNS server. IP addresses may change and maintaining any type of list can become labor-intensive.

It is best to use a FortiGate master DNS server for local services. For example, a company has a web server in their DMZ that internal users (employees) and external users (customers or remote employees) access. When internal users access a website, a request for the website is sent out to the DNS server on the Internet, which then returns an IP address or virtual IP address. After the company configures an internal DNS server, the same website request is resolved internally to the internal web server IP address. This minimizes inbound and outbound traffic, and access time.

As a slave DNS server, FortiGate refers to an external or alternate source as a way to obtain the URL and IP address combination. This is useful if there is a master DNS server for a large company, where a list is maintained. Satellite offices can then connect to the master DNS server to obtain the correct addressing.

The DNS server entries do not allow CNAME entries, as per RFC 1912, section 2.4.

Configure a master DNS server - web-based manager
  1. Select Network > DNS Servers, and select Create New for DNS Database.
  2. Select the Type of Master.
  3. Select the View as Shadow.
  4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.
  5. Enter the DNS Zone, for example, WebServer.
  6. Enter the domain name for the zone, for example example.com.
  7. Enter the hostname of the DNS server, for example, Corporate.
  8. Enter the contact address for the administrator, for example, admin@example.com.
  9. Set Authoritative to Disable.
  10. Select OK.
  11. Enter the DNS entries for the server by selecting Create New.
  12. Select the Type, for example, Address (A).
  13. Enter the Hostname, for example web.example.com.
  14. Enter the remaining information, which varies depending on the Type selected.
  15. Select OK.
Configure a master DNS server - CLI

config system dns-database

edit WebServer

set domain example.com

set type master

set view shadow

set ttl 86400

set primary-name corporate

set contact admin@exmple.com

set authoritative disable

config dns-entry

edit 1

set hostname web.example.com

set type A

set ip 192.168.21.12

set status enable

end

end

Configuring a recursive DNS

You can set an option to ensure this type of DNS server is not the authoritative server. When configured, the FortiGate unit will check its internal DNS server (master or slave). If the request cannot be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have FortiGate look to an internal server if the master or slave does not fulfill the request, using the following CLI commands:

config system dns-database

edit example.com

...

set view shadow

end

 

For this behavior to work completely, you must set the DNS query for the external interface to be recursive.

Configure a recursive DNS - web-based manager
  1. Go to Network > DNS Servers, and select Create New for DNS Service on Interface.
  2. Select the Interface.
  3. Select the Mode to Recursive.
  4. Select OK.
Configure a recursive DNS - CLI

config system dns-server

edit wan1

set mode recursive

end

Configuring IPv6 Router Advertisement options for DNS configuration

FortiGate supports the following RFC 6106 IPv6 Router Advertisement options:

  • Obtaining DNS search list options from upstream DHCPv6 servers
  • Sending the DNS search list through Router Advertisement
  • Sending the DNS search list through the FortiGate DHCP server
  • Sending DNS search list option to downstream clients with Router Advertisements that use a static prefix (FortiOS version 5.6.1 and later)
  • Sending recursive DNS server option to downstream clients with Router Advertisements that use a static prefix (FortiOS version 5.6.1 and later)
Obtain the DNS search list options from upstream DHCPv6 servers - CLI

config system interface

edit wan1

config ipv6

set dhcp6-prefix-delegation enable

next

next

end

Send DNS search lists through Router Advertisement - CLI

config system interface

edit port 1

config IPv6

set ip6-address 2001:10::/64

set ip6-mode static

set ip6-send-adv enable

config ip6-delegated-prefix-list

edit 1

set upstream-interface WAN

set subnet 0:0:0:11::/64

set autonomous-flag enable

set onlink-flag enable

next

next

end

end

Send the DNS search lists through the FortiGate DHCP server - CLI

You can use the dns-search-list delegated command to send DNS search list option to downstream clients with Router Advertisements that use a static prefix, using the following CLI commands:

config system dhcp6 server

edit 1

set interface port2

set upstream-interface WAN

set ip-mode delegated

set dns-service delegated

set dns-search-list delegated

set subnet 0:0:0:12::/64

next

end

Send DNS search list option to downstream clients with Router Advertisements that use a static prefix - CLI

In FortiOS 5.6.1 and later, you can use the set dnssl <DNS search list option> command to send DNS search list option to downstream clients with Router Advertisements that use a static prefix, using the following CLI commands:

config system interface

edit port1

config ipv6

config ip6-prefix-list

edit <2001:db8::/64>

set autonomous-flag enable

set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72

set dnssl <DNS search list option>

end

Send recursive DNS server option to downstream clients with Router Advertisements that use a static prefix - CLI

In FortiOS 5.6.1 and later, you can use the set rdnss <recursive DNS search option> command to send Recursive DNS server option to downstream clients with Router Advertisements that use a static prefix, using the following CLI commands:

config system interface

edit port1

config ipv6

config ip6-prefix-list

edit <2001:db8::/64>

set autonomous-flag enable

set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72

set dnssl <DNS search list option>

end

 

Viewing the Internet Service Database

The Internet Service Database in the FortiGate GUI contains detailed information about services that are available on the Internet, such as DNS servers that Adobe, Google, Fortinet, and Apple provide. For each service, the database shows the IP addresses of the servers that host the service, and the port and protocol number that each IP address uses.To view the Internet Service Database, select Policy & Objects > Internet Service Database in the FortiGate GUI.