Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config global-dns-server general

Use this command to configure basic behavior for the DNS server.

The general settings configuration specifies the interfaces that listen for DNS requests. By default, the system listens on the IPv4 and IPv6 addresses of all configured interfaces for DNS requests.

The other settings in the general settings configuration are applied when traffic does not match a Global DNS policy.

From general settings, you can also enable DNS over HTTP/HTTPS (DoH) and DNS over TLS (DoT) to encrypt the DNS query.

Before you begin:

Syntax

config global-dns-server general

set dnssec-validate-status {enable|disable}

set forward {first|only}

set forwarders <datasource>

set gds-status {enable|disable}

set minimal-responses {enable|disable}

set ipv4-accessed-status {enable|disable}

set ipv6-accessed-status {enable|disable}

set listen-on-all-interface {enable|disable}

set listen-on-interface <datasource>

set dns-over-https {enable|disable}

set dns-over-https-port <integer>

set dns-over-https-listen-on-interface <datasource>

set dns-over-http {enable|disable}

set dns-over-http-port <integer>

set dns-over-http-listen-on-interface <datasource>

set dns-over-tls {enable|disable}

set dns-over-tls-port <integer>

set dns-over-tls-listen-on-interface <datasource>

set certificate <datasource>

set recursion-status {enable|disable}

set response-rate-limit <datasource>

set traffic-log {enable|disable}

set use-system-dns-server {enable|disable}

end

dnssec-validate-status

Enable/disable DNSSEC validation.

forward

  • first—The DNS server queries the forwarder before doing its own DNS lookup.
  • only—Only queries the forwarder. Does not perform its own DNS lookups.

forwarders

If the DNS server zone has been configured as a forwarder, specify the remote DNS server to which it forwards requests.

gds-status

Enable/disable the DNS server configuration.

minimal-responses

Enables/disables Minimal Responses to hide the Authority Section and Additional Section of DNS queries.
When the DNS query only shows the minimal response, it can significantly increase the performance of the FortiADC DNS service by increasing the QPS.

ipv4-accessed-status

Enable/disable listening for DNS requests on the interface IPv4 address.

ipv6-accessed-status

Enable/disable listening for DNS requests on the interface IPv6 address.

listen-on-all-interface

Enable listening on all interfaces.

listen-on-interface

The listen-on-interface option is available if listen-on-all-interface is disabled.

If you do not listen on all interfaces, select one or more ports to listen on.

dns-over-https

Enable/disable DNS over HTTPS to encrypt DNS queries using the HTTPS protocol.

dns-over-https-port

The dns-over-https-port option is available if dns-over-https is enabled.

Specify the port to listen on DNS over HTTPS. Default: 443 Range: 1-65535.

dns-over-https-listen-on-interface

The dns-over-https-listen-on-interface option is available if dns-over-https is enabled.

Specify the interface(s) to listen on for DNS over HTTPS.

dns-over-http

Enable/disable DNS over HTTP to encrypt DNS queries using the HTTP protocol.

dns-over-http-port

The dns-over-http-port option is available if dns-over-http is enabled.

Specify the port to listen on DNS over HTTP. Default: 80 Range: 1-65535.

dns-over-http-listen-on-interface

The dns-over-http-listen-on-interface option is available if dns-over-http is enabled.

Specify the interface(s) to listen on for DNS over HTTP.

dns-over-tls

Enable/disable DNS over TLS to encrypt DNS queries using the TLS protocol.

dns-over-tls-port

The dns-over-tls-port option is available if dns-over-tls is enabled.

Specify the port to listen on DNS over TLS. Default: 853 Range: 1-65535.

dns-over-tls-listen-on-interface

The dns-over-tls-listen-on-interface option is available if dns-over-tls is enabled.

Specify the interface(s) to listen on for DNS queries for DNS over TLS.

certificate

The certificate option is available if dns-over-https or dns-over-tls is enabled.

Specify the certificate object to apply for DNS over HTTPS or DNS over TLS. This certificate must refer to the DNS server domain or IP address. For details, see the FortiADC Handbook topic on Configuring DNS over HTTPS and DNS over TLSConfiguring DNS over HTTPS and DNS over TLS

recursion-status

Enable/disable recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

response-rate-limit

Specify a rate limit configuration object.

traffic-log

Enable/disable logging.

use-system-dns-server

Forward DNS requests to the system DNS server instead of the forwarder.

Example

FortiADC-VM # config global-dns-server general

FortiADC-VM (general) # get

gds-status : disable

minimal-responses : disable

recursion-status : enable

dnssec-status : disable

dnssec-validate-status : disable

ipv6-accessed-status : enable

ipv4-accessed-status : enable

traffic-log : disable

listen-on-all-interface : enable

forward : first

use-system-dns-server : enable

response-rate-limit :

dns-over-https : enable

dns-over-https-port : 443

dns-over-https-listen-on-interface : port2 port3

dns-over-http : enable

dns-over-http-port : 80

dns-over-http-listen-on-interface : port2 port3

dns-over-tls : enable

dns-over-tls-port : 853

dns-over-tls-listen-on-interface : port2 port3

certificate : dns_fortiadc-qa_com

FortiADC-VM (general) # set gds-status enable

FortiADC-VM (general) # end

config global-dns-server general

Use this command to configure basic behavior for the DNS server.

The general settings configuration specifies the interfaces that listen for DNS requests. By default, the system listens on the IPv4 and IPv6 addresses of all configured interfaces for DNS requests.

The other settings in the general settings configuration are applied when traffic does not match a Global DNS policy.

From general settings, you can also enable DNS over HTTP/HTTPS (DoH) and DNS over TLS (DoT) to encrypt the DNS query.

Before you begin:

Syntax

config global-dns-server general

set dnssec-validate-status {enable|disable}

set forward {first|only}

set forwarders <datasource>

set gds-status {enable|disable}

set minimal-responses {enable|disable}

set ipv4-accessed-status {enable|disable}

set ipv6-accessed-status {enable|disable}

set listen-on-all-interface {enable|disable}

set listen-on-interface <datasource>

set dns-over-https {enable|disable}

set dns-over-https-port <integer>

set dns-over-https-listen-on-interface <datasource>

set dns-over-http {enable|disable}

set dns-over-http-port <integer>

set dns-over-http-listen-on-interface <datasource>

set dns-over-tls {enable|disable}

set dns-over-tls-port <integer>

set dns-over-tls-listen-on-interface <datasource>

set certificate <datasource>

set recursion-status {enable|disable}

set response-rate-limit <datasource>

set traffic-log {enable|disable}

set use-system-dns-server {enable|disable}

end

dnssec-validate-status

Enable/disable DNSSEC validation.

forward

  • first—The DNS server queries the forwarder before doing its own DNS lookup.
  • only—Only queries the forwarder. Does not perform its own DNS lookups.

forwarders

If the DNS server zone has been configured as a forwarder, specify the remote DNS server to which it forwards requests.

gds-status

Enable/disable the DNS server configuration.

minimal-responses

Enables/disables Minimal Responses to hide the Authority Section and Additional Section of DNS queries.
When the DNS query only shows the minimal response, it can significantly increase the performance of the FortiADC DNS service by increasing the QPS.

ipv4-accessed-status

Enable/disable listening for DNS requests on the interface IPv4 address.

ipv6-accessed-status

Enable/disable listening for DNS requests on the interface IPv6 address.

listen-on-all-interface

Enable listening on all interfaces.

listen-on-interface

The listen-on-interface option is available if listen-on-all-interface is disabled.

If you do not listen on all interfaces, select one or more ports to listen on.

dns-over-https

Enable/disable DNS over HTTPS to encrypt DNS queries using the HTTPS protocol.

dns-over-https-port

The dns-over-https-port option is available if dns-over-https is enabled.

Specify the port to listen on DNS over HTTPS. Default: 443 Range: 1-65535.

dns-over-https-listen-on-interface

The dns-over-https-listen-on-interface option is available if dns-over-https is enabled.

Specify the interface(s) to listen on for DNS over HTTPS.

dns-over-http

Enable/disable DNS over HTTP to encrypt DNS queries using the HTTP protocol.

dns-over-http-port

The dns-over-http-port option is available if dns-over-http is enabled.

Specify the port to listen on DNS over HTTP. Default: 80 Range: 1-65535.

dns-over-http-listen-on-interface

The dns-over-http-listen-on-interface option is available if dns-over-http is enabled.

Specify the interface(s) to listen on for DNS over HTTP.

dns-over-tls

Enable/disable DNS over TLS to encrypt DNS queries using the TLS protocol.

dns-over-tls-port

The dns-over-tls-port option is available if dns-over-tls is enabled.

Specify the port to listen on DNS over TLS. Default: 853 Range: 1-65535.

dns-over-tls-listen-on-interface

The dns-over-tls-listen-on-interface option is available if dns-over-tls is enabled.

Specify the interface(s) to listen on for DNS queries for DNS over TLS.

certificate

The certificate option is available if dns-over-https or dns-over-tls is enabled.

Specify the certificate object to apply for DNS over HTTPS or DNS over TLS. This certificate must refer to the DNS server domain or IP address. For details, see the FortiADC Handbook topic on Configuring DNS over HTTPS and DNS over TLSConfiguring DNS over HTTPS and DNS over TLS

recursion-status

Enable/disable recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

response-rate-limit

Specify a rate limit configuration object.

traffic-log

Enable/disable logging.

use-system-dns-server

Forward DNS requests to the system DNS server instead of the forwarder.

Example

FortiADC-VM # config global-dns-server general

FortiADC-VM (general) # get

gds-status : disable

minimal-responses : disable

recursion-status : enable

dnssec-status : disable

dnssec-validate-status : disable

ipv6-accessed-status : enable

ipv4-accessed-status : enable

traffic-log : disable

listen-on-all-interface : enable

forward : first

use-system-dns-server : enable

response-rate-limit :

dns-over-https : enable

dns-over-https-port : 443

dns-over-https-listen-on-interface : port2 port3

dns-over-http : enable

dns-over-http-port : 80

dns-over-http-listen-on-interface : port2 port3

dns-over-tls : enable

dns-over-tls-port : 853

dns-over-tls-listen-on-interface : port2 port3

certificate : dns_fortiadc-qa_com

FortiADC-VM (general) # set gds-status enable

FortiADC-VM (general) # end