FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

DNS Servers

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (master DNS server), or use it as a jumping point, where the server refers to an outside source (slave DNS server). A local master DNS server works similarly to the DNS server addresses configured in Network > DNS, but all entries must be added manually. This enables you to add a local DNS server to include specific URL/IP address combinations.

The DNS server options are not visible in the web-based manager by default. To enable the server, go to System > Feature Selectand select DNS Database.

While a master DNS server is an easy method of including regularly used addresses to save on going to an outside DNS server, it is not recommended to make it the authoritative DNS server. IP addresses may change, and maintaining any type of list can quickly become labor-intensive.

A FortiGate master DNS server is best set for local services. For example, if your company has a web server on the DMZ that is accessed by internal employees as well as external users, such as customers or remote users. In this situation, the internal users when accessing the site would send a request for, that would go out to the DNS server on the web, to return an IP address or virtual IP. With an internal DNS, the same site request is resolved internally to the internal web server IP address, minimizing inbound/outbound traffic and access time.

As a slave, DNS server, the FortiGate server refers to an external or alternate source as way to obtain the url/IP combination. This useful if there is a master DNS server for a large company where a list is maintained. Satellite offices can then connect to the master DNS server to obtain the correct addressing.

The DNS server entries does not allow CNAME entries, as per RFC 1912, section 2.4.

To configure a master DNS server - web-based manager
  1. Go to Network > DNS Servers, and select Create New for DNS Database.
  2. Select the Type of Master.
  3. Select the View as Shadow.
  4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.
  5. Enter the DNS Zone, for example, WebServer.
  6. Enter the domain name for the zone, for example
  7. Enter the hostname of the DNS server, for example, Corporate.
  8. Enter the contact address for the administrator, for example,
  9. Set Authoritative to Disable.
  10. Select OK.
  11. Enter the DNS entries for the server by selecting Create New.
  12. Select the Type, for example, Address (A).
  13. Enter the Hostname, for example
  14. Enter the remaining information, which varies depending on the Type selected.
  15. Select OK.
To configure a DNS server - CLI

config system dns-database

edit WebServer

set domain

set type master

set view shadow

set ttl 86400

set primary-name corporate

set contact

set authoritative disable

config dns-entry

edit 1

set hostname

set type A

set ip

set status enable



Recursive DNS

You can set an option to ensure these types of DNS server is not the authoritative server. When configured, the FortiGate unit will check its internal DNS server (Master or Slave). If the request cannot be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have the FortiGate unit look to an internal server should the Master or Slave not fulfill the request by using the CLI commands:

config system dns-database



set view shadow



For this behavior to work completely, for the external port, you must set the DNS query for the external interface to be recursive.

To configure a recursive DNS - web-based manager
  1. Go to Network > DNS Servers, and select Create New for DNS Service on Interface.
  2. Select the Interface.
  3. Select the Mode to Recursive.
  4. Select OK.
To set the DNS query - CLI

config system dns-server

edit wan1

set mode recursive