config global-dns-server : config global-dns-server policy
 
config global-dns-server policy
Use this command to configure a rulebase that matches traffic to DNS zones.
Traffic that matches both source and destination criteria is served by the policy. Traffic that does not match any policy is served by the DNS “general settings” configuration.
Before you begin:
You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
You must have configured address objects, remote servers, DNS zones, and optional configuration objects you want to specify in your policy.
You must have read-write permission for global load balancing settings.
Syntax
config global-dns-server policy
edit <name>
set destination-address <datasource>
set dns64-list {<datasource> ...}
set dnssec-status {enable|disable}
set dnssec-validate-status {enable|disable}
set forward {first | only}
set forwarders <datasource>
set recursion-status {enable|disable}
set response-rate-limit <datasource>
set source-address <datasource>
set zone-list {<datasource> ...}
next
end
destination-address
Address object to specify the destination match criteria.
dns64-list
Specify one or more DNS64 configurations to use when resolving IPv6 requests.
dnssec-status
Enable/disable DNSSEC.
dnssec-validate-status
Enable/disable DNSSEC validation.
forward
first—The DNS server queries the forwarder before doing its own DNS lookup.
only—Only queries the forwarder. Does not perform its own DNS lookups.
forwarders
If the DNS server zone has been configured as a forwarder, specify the remote DNS servers to which it forwards requests.
recursion-status
Enable/disable recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.
response-rate-limit
Specify a rate limit configuration object.
source-address
Address object to specify the source match criteria.
zone-list
Specify one or more zone configurations to serve DNS requests from matching traffic.
Example
FortiADC-VM (policy) # edit lan_policy
Add new entry 'lan_policy' for node 2236
 
FortiADC-VM (lan_policy) # get
source-address :
destination-address :
zone-list :
dns64-list :
recursion-status : enable
dnssec-status : disable
dnssec-validate-status: disable
forward : first
forwarders :
response-rate-limit :
 
FortiADC-VM (lan_policy) # set source-address campus
FortiADC-VM (lan_policy) # set destination-address any
FortiADC-VM (lan_policy) # set zone-list lan-zone
FortiADC-VM (lan_policy) # next
 
FortiADC-VM (policy) # edit wan_policy
Add new entry 'wan_policy' for node 2236
 
FortiADC-VM (wan_policy) # set source-address branch
FortiADC-VM (wan_policy) # set destination-address any
FortiADC-VM (wan_policy) # set zone-list wan-zone
FortiADC-VM (wan_policy) # end
 
FortiADC-VM # get global-dns-server policy lan_policy
source-address : campus
destination-address : any
zone-list : lan-zone
dns64-list :
recursion-status : enable
dnssec-status : disable
dnssec-validate-status: disable
forward : first
forwarders :
response-rate-limit :
 
FortiADC-VM # get global-dns-server policy wan_policy
source-address : branch
destination-address : any
zone-list : wan-zone
dns64-list :
recursion-status : enable
dnssec-status : disable
dnssec-validate-status: disable
forward : first
forwarders :
response-rate-limit :