config global-dns-server zone
Use this command to configure DNS zone and resource records.
The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS server settings, including:
• Domain name and name server details.
• Type—Whether the server is the master or a forwarder.
• DNSSEC—Whether to use DNSSEC.
• DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to the domain by the parent zone.
You can specify different DNS server settings for each zone you create. For example, the DNS server can be a master for one zone and a forwarder for another zone.
Before you begin:
• You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
• You must have authority to create authoritative DNS zone records for your network.
• You must have read-write permission for global load balancing settings.
After you have configured a DNS zone, you can select it in the DNS policy configuration.
Syntax
config global-dns-server zone
edit <name>
set domain-name <string>
set primary-server-ip <class_ip>
set primary-server-ip6 <class_ip>
set primary-server-name <string>
set responsible-mail <string>
set ttl <integer>
set type {master|forward}
set forward {first | only}
set forwarders <datasource>
set dnssec-status {enable|disable}
set dnssec-algorithm RSASHA1
set dsset9info <string>
set dssetinfo-filename <string>
set dsset-info-list <datasource>
set KSK <string>
set KSK-Filename <string>
set ZSK <string>
set ZSK-Filename <string>
config a-aaaa-record
edit <No.>
set hostname <string>
set source-type {from-load-balance-pool | ipv4 | ipv6}
set load-balance-pool <datasource>
set ip <class_ip>
set ip6 <class_ip>
set method wrr
set weight <integer>
next
end
config cname-record
edit <No.>
set alias <string>
set target <string>
next
end
config mx-record
edit <No.>
set hostname <string>
set type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
set priority <integer>
next
end
config ns-record
edit <No.>
set domain-name <string>
set host-name <string>
set type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
next
end
next
end
config global-dns-server zone |
domain-name | The domain name must end with a period. For example: example.com. |
primary-server-ip | The IP address of the primary server. |
primary-server-ip6 | The IP address of the primary server. |
primary-server-name | Sets the server name in the SOA record. |
responsible-mail | Username of the person responsible for this zone, such as root. |
ttl | The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set. The default is 86,400. The valid range is 0 to 2,147,483,647. |
type | • master—The configuration contains the “master” copy of data for the zone and is the authoritative server for it. • forward—The configuration allows you to apply DNS forwarding on a per-domain basis, overriding the forwarding settings in the “general” configuration. |
forward | • first—The DNS server queries the forwarders list before doing its own DNS lookup. • only—Only query the forwarders list. Do not perform a DNS lookup. |
forwarders | The Forward option is only meaningful if the forwarders list is not empty. |
dnssec-status | Enable/disable DNSSEC. |
dnssec-algorithm | RSHSHA1 is the oly supported algorithm. |
dsset9info | It is generated by the system if DNSSEC is enabled for the zone. |
dssetinfo-filename | The file is generated by the system if DNSSEC is enabled for the zone. The file generated by the zone configuration editor is the one you give to any parent zone or the registrar of your domain. The convention is dsset-<domain>, for example dsset-example.com. |
dsset-info-list | Specify a DSset info list configuration object. |
KSK | Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone. |
KSK-Filename | The file is generated by the system if DNSSEC is enabled for the zone. To regenerate the KSK, disable DNSSEC and then re-enable DNSSEC. |
ZSK | Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone. |
ZSK-Filename | The file is generated by the system if DNSSEC is enabled for the zone. To regenerate the ZSK, disable DNSSEC and then re-enable DNSSEC. |
config a-aaaa-record |
hostname | The hostname part of the FQDN, such as www. |
source-type | • from-load-balance-pool: Specify this option to use the IP address information and weight from configuration objects you have created. • ipv4—Specify this option to configure IPv4 address information and weight. • ipv6—Specify this option to configure IPv6 address information and weight. |
load-balance-pool | Specify a global pool configuration. |
ip | Specify the IP address of the virtual server. |
ip6 | Specify the IP address of the virtual server. |
method | Weighted Round Robin is the only method supported. |
weight | Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently. The default is 1. The valid range is 1-255. |
config cname-record |
alias | An alias name to another true or canonical domain name (the target). For instance, www.example.com is an alias for example.com. |
target | The true or canonical domain name. For instance, example.com. |
config mx-record |
hostname | The hostname part of the FQDN for a mail exchange server, such as mail. |
type | • IPv4 • IPv6 |
ip | Specify the IP address. |
ip6 | Specify the IP address. |
priority | Preference given to this RR among others at the same owner. Lower values have greater priority. |
config ns-record |
domain-name | The domain for which the name server has authoritative answers, such as example.com. |
host-name | The hostname part of the FQDN, such as ns. |
type | • IPv4 • IPv6 |
ip | Specify the IP address of the name server. |
ip6 | Specify the IP address of the name server. |
Example
FortiADC-VM # config global-dns-server zone
FortiADC-VM (zone) # edit wan-zone
Add new entry 'wan-zone' for node 2248
FortiADC-VM (wan-zone) # get
type : master
domain-name :
dnssec-status : disable
ttl : 86400
responsible-mail :
primary-server-name :
primary-server-ip : 0.0.0.0
primary-server-ip6 : ::
FortiADC-VM (wan-zone) # set domain-name www.fortiadc.com.
FortiADC-VM (wan-zone) # set responsible-mail root
FortiADC-VM (wan-zone) # set primary-server-name ns
FortiADC-VM (wan-zone) # set primary-server-ip 202.33.11.107
FortiADC-VM (wan-zone) # config a-aaaa-record
FortiADC-VM (a-aaaa-record) # edit 1
Add new entry '1' for node 2257
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # get
hostname : www
source-type : ipv4
weight : 1
ip : 0.0.0.0
method : wrr
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # set ip 202.33.11.1
FortiADC-VM (1) # end
FortiADC-VM (wan-zone) # end
FortiADC-VM # config global-dns-server zone
FortiADC-VM (zone) # edit lan-zone
Add new entry 'lan-zone' for node 2248
FortiADC-VM (lan-zone) # set domain-name fortiadc.com.
FortiADC-VM (lan-zone) # set responsible-mail root
FortiADC-VM (lan-zone) # set primary-server-name ns
FortiADC-VM (lan-zone) # set primary-server-ip 192.33.11.107
FortiADC-VM (lan-zone) # config a-aaaa-record
FortiADC-VM (a-aaaa-record) # edit 1
Add new entry '1' for node 2257
FortiADC-VM (1) # set source-type from-load-balance-pool
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # set load-balance-pool global-pool-1
FortiADC-VM (1) # end
FortiADC-VM (lan-zone) # end
FortiADC-VM # show global-dns-server zone
config global-dns-server zone
edit "wan-zone"
set domain-name www.fortiadc.com.
set responsible-mail root
set primary-server-name ns
set primary-server-ip 202.33.11.107
config a-aaaa-record
edit 1
set hostname www
set ip 202.33.11.1
next
end
config ns-record
end
config cname-record
end
config mx-record
end
next
edit "lan-zone"
set domain-name fortiadc.com.
set responsible-mail root
set primary-server-name ns
set primary-server-ip 192.33.11.107
config a-aaaa-record
edit 1
set hostname www
set source-type from-load-balance-pool
set load-balance-pool global-pool-1
next
end
config ns-record
end
config cname-record
end
config mx-record
end
next
end
FortiADC-VM #