DNS Servers

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (primary DNS server), or use it as a jumping point, where the server refers to an outside source (secondary DNS server). A local primary DNS server works similarly to the DNS server addresses configured in Network > DNS, but all entries must be added manually. This enables you to add a local DNS server to include specific URL/IP address combinations.

The DNS server options are not visible in the web-based manager by default. To enable the server, go to System > Feature Selectand select DNS Database.

While a primary DNS server is an easy method of including regularly used addresses to save on going to an outside DNS server, it is not recommended to make it the authoritative DNS server. IP addresses may change, and maintaining any type of list can quickly become labor-intensive.

A FortiGate primary DNS server is best set for local services. For example, if your company has a web server on the DMZ that is accessed by internal employees as well as external users, such as customers or remote users. In this situation, the internal users when accessing the site would send a request for website.example.com, that would go out to the DNS server on the web, to return an IP address or virtual IP. With an internal DNS, the same site request is resolved internally to the internal web server IP address, minimizing inbound/outbound traffic and access time.

As a secondary DNS server, the FortiGate server refers to an external or alternate source as way to obtain the url/IP combination. This useful if there is a primary DNS server for a large company where a list is maintained. Satellite offices can then connect to the primary DNS server to obtain the correct addressing.

The DNS server entries does not allow CNAME entries, as per RFC 1912, section 2.4.

To configure a primary DNS server - web-based manager
  1. Go to Network > DNS Servers, and select Create New for DNS Database.
  2. Select the Type of Master.
  3. Select the View as Shadow.
  4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.
  5. Enter the DNS Zone, for example, WebServer.
  6. Enter the domain name for the zone, for example example.com.
  7. Enter the hostname of the DNS server, for example, Corporate.
  8. Enter the contact address for the administrator, for example, admin@example.com.
  9. Set Authoritative to Disable.
  10. Select OK.
  11. Enter the DNS entries for the server by selecting Create New.
  12. Select the Type, for example, Address (A).
  13. Enter the Hostname, for example web.example.com.
  14. Enter the remaining information, which varies depending on the Type selected.
  15. Select OK.
To configure a DNS server - CLI

config system dns-database

edit WebServer

set domain example.com

set type master

set view shadow

set ttl 86400

set primary-name corporate

set contact admin@exmple.com

set authoritative disable

config dns-entry

edit 1

set hostname web.example.com

set type A

set ip

set status enable



Recursive DNS

You can set an option to ensure these types of DNS server is not the authoritative server. When configured, the FortiGate unit will check its internal DNS server. If the request cannot be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have the FortiGate unit look to an internal server should the primary or secondary not fulfill the request by using the CLI commands:

config system dns-database

edit example.com


set view shadow



For this behavior to work completely, for the external port, you must set the DNS query for the external interface to be recursive.

To configure a recursive DNS - web-based manager
  1. Go to Network > DNS Servers, and select Create New for DNS Service on Interface.
  2. Select the Interface.
  3. Select the Mode to Recursive.
  4. Select OK.
To set the DNS query - CLI

config system dns-server

edit wan1

set mode recursive