Fortinet black logo

Handbook

Configuring general settings

Configuring general settings

The general settings configuration specifies the interfaces that listen for DNS requests. By default, the system listens on the IPv4 and IPv6 addresses of all configured interfaces for DNS requests.

The other settings in the general settings configuration are applied when traffic does not match a Global DNS policy.

From general settings, you can also enable DNS over HTTP/HTTPS (DoH) and DNS over TLS (DoT) to encrypt the DNS query.

Before you begin:
  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have Read-Write permission for Global Load Balance settings.
  • If enabling DNS over HTTPS/TLS, you must have prepared a dedicated DNS server domain and a certificate pair for your DNS over HTTPS/TLS service. For details, see Configuring DNS over HTTPS and DNS over TLS.
To configure general settings:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the General Settings tab.
  3. Complete the configuration as described in General configuration.
  4. Save the configuration.

General configuration

Settings Guidelines

Global DNS Configuration

Enables/disables this configuration.

Recursion

Enables/disables recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

DNSSEC Validation

Enables/disables DNSSEC validation.

Listen on IPv6

Enables/disables listening for DNS requests on the interface IPv6 address.

Listen on IPv4

Enables/disables listening for DNS requests on the interface IPv4 address.

Traffic Log

Enables/disables traffic log.

Listen on All Interface

Enables listening on all interfaces.

Interface List

The Interface List option is available if Listen on All Interface is disabled.

If not listening to all interfaces, select one or more ports to listen on.

DNS over HTTPS

Enables/disables DNS over HTTPS to encrypt DNS queries using the HTTPS protocol.

DNS over HTTPS Port

The DNS over HTTPS Port option is available if DNS over HTTPS is enabled.

Specify the port to listen on DNS over HTTPS. Default: 443 Range: 1-65535.

DNS over HTTPS Interface List

The DNS over HTTPS Interface List option is available if DNS over HTTPS is enabled.

Select the interface(s) to listen on for DNS over HTTPS.

DNS over HTTP

Enables/disables DNS over HTTP to encrypt DNS queries using the HTTP protocol.

DNS over HTTP Port

The DNS over HTTP Port option is available if DNS over HTTP is enabled.

Specify the port to listen on DNS over HTTP. Default: 80 Range: 1-65535.

DNS over HTTP Interface List

The DNS over HTTP Interface List option is available if DNS over HTTP is enabled.

Select the interface(s) to listen on for DNS over HTTP.

DNS over TLS

Enables/disables DNS over TLS to encrypt DNS queries using the TLS protocol.

DNS over TLS Port

The DNS over TLS Port option is available if DNS over TLS is enabled.

Specify the port to listen on DNS over TLS. Default: 853 Range: 1-65535.

DNS over TLS Interface List

The DNS over TLS Interface List option is available if DNS over TLS is enabled.

Select the interface(s) to listen on for DNS queries for DNS over TLS.

Certificate

The Certificate option is available if DNS over HTTPS or DNS over TLS is enabled.

Select the certificate object to apply for DNS over HTTPS or DNS over TLS. This certificate must refer to the DNS server domain or IP address. For details, see Configuring DNS over HTTPS and DNS over TLS.

Forward

  • First—The DNS server queries the forwarder before doing its own DNS lookup.
  • Only—Only queries the forwarder. Does not perform its own DNS lookups.

Note: The internal server caches the results it learns from forwarders, which optimizes subsequent lookups.

Use System DNS Server

Forwards DNS requests to the system DNS server instead of the forwarders list.

Response Rate Limit

Selects a rate limit configuration object. See Configuring the response rate limit.

Configuring general settings

The general settings configuration specifies the interfaces that listen for DNS requests. By default, the system listens on the IPv4 and IPv6 addresses of all configured interfaces for DNS requests.

The other settings in the general settings configuration are applied when traffic does not match a Global DNS policy.

From general settings, you can also enable DNS over HTTP/HTTPS (DoH) and DNS over TLS (DoT) to encrypt the DNS query.

Before you begin:
  • You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
  • You must have Read-Write permission for Global Load Balance settings.
  • If enabling DNS over HTTPS/TLS, you must have prepared a dedicated DNS server domain and a certificate pair for your DNS over HTTPS/TLS service. For details, see Configuring DNS over HTTPS and DNS over TLS.
To configure general settings:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the General Settings tab.
  3. Complete the configuration as described in General configuration.
  4. Save the configuration.

General configuration

Settings Guidelines

Global DNS Configuration

Enables/disables this configuration.

Recursion

Enables/disables recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

DNSSEC Validation

Enables/disables DNSSEC validation.

Listen on IPv6

Enables/disables listening for DNS requests on the interface IPv6 address.

Listen on IPv4

Enables/disables listening for DNS requests on the interface IPv4 address.

Traffic Log

Enables/disables traffic log.

Listen on All Interface

Enables listening on all interfaces.

Interface List

The Interface List option is available if Listen on All Interface is disabled.

If not listening to all interfaces, select one or more ports to listen on.

DNS over HTTPS

Enables/disables DNS over HTTPS to encrypt DNS queries using the HTTPS protocol.

DNS over HTTPS Port

The DNS over HTTPS Port option is available if DNS over HTTPS is enabled.

Specify the port to listen on DNS over HTTPS. Default: 443 Range: 1-65535.

DNS over HTTPS Interface List

The DNS over HTTPS Interface List option is available if DNS over HTTPS is enabled.

Select the interface(s) to listen on for DNS over HTTPS.

DNS over HTTP

Enables/disables DNS over HTTP to encrypt DNS queries using the HTTP protocol.

DNS over HTTP Port

The DNS over HTTP Port option is available if DNS over HTTP is enabled.

Specify the port to listen on DNS over HTTP. Default: 80 Range: 1-65535.

DNS over HTTP Interface List

The DNS over HTTP Interface List option is available if DNS over HTTP is enabled.

Select the interface(s) to listen on for DNS over HTTP.

DNS over TLS

Enables/disables DNS over TLS to encrypt DNS queries using the TLS protocol.

DNS over TLS Port

The DNS over TLS Port option is available if DNS over TLS is enabled.

Specify the port to listen on DNS over TLS. Default: 853 Range: 1-65535.

DNS over TLS Interface List

The DNS over TLS Interface List option is available if DNS over TLS is enabled.

Select the interface(s) to listen on for DNS queries for DNS over TLS.

Certificate

The Certificate option is available if DNS over HTTPS or DNS over TLS is enabled.

Select the certificate object to apply for DNS over HTTPS or DNS over TLS. This certificate must refer to the DNS server domain or IP address. For details, see Configuring DNS over HTTPS and DNS over TLS.

Forward

  • First—The DNS server queries the forwarder before doing its own DNS lookup.
  • Only—Only queries the forwarder. Does not perform its own DNS lookups.

Note: The internal server caches the results it learns from forwarders, which optimizes subsequent lookups.

Use System DNS Server

Forwards DNS requests to the system DNS server instead of the forwarders list.

Response Rate Limit

Selects a rate limit configuration object. See Configuring the response rate limit.