Configuring DNS settings

Like many other types of network devices, FortiWeb appliances require connectivity to DNS servers for DNS lookups.

Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers. You must provide unicast, non-local addresses for your DNS servers. Local host and broadcast addresses will not be accepted.

Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features, including FortiGuard services and NTP system time.
To configure DNS settings via the web UI

1.  Go to System > Network > DNS.

To change settings in this part of the web UI, your administrator's account access profile must have Write permission to items in the Network Configuration category. For details, see Permissions.

2.  In Primary DNS Server, type the IP address of the primary DNS server.

3.  In Secondary DNS Server, type the IP address of the secondary DNS server.

4.  In Local Domain Name, type the name of the local domain to which the FortiWeb appliance belongs, if any.

This field is optional. It will not appear in the Host: field of HTTP headers for client connections to your protected web servers.

5.  Click Apply.

The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP system time, FortiGuard services, or web servers defined by their domain names (“domain servers”).

6.  To verify your DNS settings, in the CLI, enter the following commands:

execute traceroute <server_fqdn>

where <server_fqdn> is a domain name such as www.example.com.

DNS tests may not succeed until you have completed Adding a gateway.

If the DNS query for the domain name succeeds, you should see results that indicate that the host name resolved into an IP address, and the route from FortiWeb to that IP address:

traceroute to www.example.com (192.0.43.10), 30 hops max, 60 byte packets

1 172.20.130.2 (172.20.130.2) 0.426 ms 0.238 ms 0.374 ms

2 static-209-87-254-221.storm.ca (209.87.254.221) 2.223 ms 2.491 ms 2.552 ms

3 core-g0-0-1105.storm.ca (209.87.239.161) 3.079 ms 3.334 ms 3.357 ms

...

16 43-10.any.icann.org (192.0.43.10) 57.243 ms 57.146 ms 57.001 ms

If the DNS query fails, you will see an error message such as:

traceroute: unknown host www.example.com

CFG_CLI_INTERNAL_ERR

Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy UDP port 53.

To configure DNS settings via the CLI

1.  Enter the following commands:

config system dns

set primary <address_ipv4>

set secondary <address_ipv4>

set domain <local-domain_str>

end

where:

<address_ipv4> is the IP address of a DNS server

<local‑domain_str> is the name of the local domain to which the FortiWeb appliance belongs, if any

The local domain name is optional. It will not appear in the Host: field of HTTP headers for connections to protected web servers.

The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP or web servers defined by their domain names (“domain servers”).

2.  To verify your DNS settings, in the CLI, enter the following commands:

execute traceroute <server_fqdn>

where <server_fqdn> is a domain name such as www.example.com.

DNS tests may not succeed until you have completed Adding a gateway.

If the DNS query for the domain name succeeds, you should see results that indicate that the host name resolved into an IP address, and the route from FortiWeb to that IP address:

traceroute to www.example.com (192.0.43.10), 30 hops max, 60 byte packets

1 172.20.130.2 (172.20.130.2) 0.426 ms 0.238 ms 0.374 ms

2 static-209-87-254-221.storm.ca (209.87.254.221) 2.223 ms 2.491 ms 2.552 ms

3 core-g0-0-1105.storm.ca (209.87.239.161) 3.079 ms 3.334 ms 3.357 ms

...

16 43-10.any.icann.org (192.0.43.10) 57.243 ms 57.146 ms 57.001 ms

If the DNS query fails, you will see an error message such as:

traceroute: unknown host www.example.com

CFG_CLI_INTERNAL_ERR

Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy UDP port 53.

See also