Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    DNS Zone Records

    DNS Zone Records

    In a DNS Zone, zone records (also known as resource records) define how your domain name maps to IP addresses and other resources.

    Add Records to a DNS Zone

    1. Navigate to GSLB > DNS.

    2. Locate the desired DNS zone, or create a new one by clicking Add Service. For instructions on creating a new DNS Zone, refer to Adding a DNS Zone.

    3. Click the three dots under the gear icon to expand actions, and select Manage Zone Record. This takes you to a page that lists the records associated with this zone.

    4. On this page, you have two options for adding Zone Records.

      1. Manually enter Record details

        1. Click Add Records.

        2. Select the type of record to add. See below for details on the various supported zone resource record types, as well as their specific configuration instructions.

      2. Import Zone File

        A zone file is a standardized plain text file that contains all the DNS resource records defining how your domain and its subdomains behave on the internet.

        Before importing a zone file, ensure proper zone configuration.

        Consider the following guidelines:

        • Zone file must comply with RFC standards and BIND format.

        • Record domain names in the zone file must match the hosted zone's name.

        • GSLB ignores SOA records in the zone file.

        • NS records and their corresponding A records for the configured zone domain are disregarded.

        • The imported zone file must not duplicate any records already present in the hosted zone, or the import process will fail.

        • Duplicate records in the imported zone file will also cause the import process to fail.

        • You can import up to 1024 zone records.

        Below is a sample zone file:

        $TTL 86400

        example.com. IN SOA ns1 admin (

        10004 ; serial

        3600 ; refresh

        900 ; retry

        3600000 ; expiry

        3600 ; minimum

        )

        example.com. IN NS ns1

        $ORIGIN example.com.

        ns1 86400 IN A 1.2.3.4

        mail 86400 IN A 192.0.2.2

        www 86400 IN A 192.0.2.1

        www.example.com 86400 IN CNAME example.com.

        sub.example.com 86400 IN MX 10 mail

        1. Click Import Zone File.
        2. Click Choose File and select your zone file.

    Supported Record types

    FortiAppSec GSLB supports the following resource record types. Support for secondary zone types is planned for a future release.

    A/AAAA record

    A host IPv4 or IPv6 address.

    Configuring the A/AAAA record

    Settings Guidelines

    hostname

    The hostname part of the FQDN, such as www.

    Note: You can specify the @ symbol to denote the zone root. The value substituted for @ is the preceding $ORIGIN directive.

    Source Type

    IPv4 / IPv6

    Address

    Specify the IP address of the virtual server.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    CNAME record

    Identifies the canonical name of an alias. Described in RFC 1035.

    Configuring the CNAME record

    Settings Guidelines

    Alias

    An alias name to another true or canonical domainname (the target). For instance, www.example.com is an alias for example.com.

    Note: Alias should not be the same as other records, nor should there be duplicate aliases for the same domain. Otherwise, the DNS service will fail.

    Target

    The canonical (true) domain name that the alias points to. For example, example.com.

    • Without a trailing dot in the Target: The CNAME is treated as relative to the current domain, and the DNS server will automatically append the domain name. For example, a target of ms would be interpreted as ms.example.com. If a valid A record exists for ms.example.com, requests will be resolved to that address.

    • With a trailing dot in the Target: The CNAME points to an absolute domain name, typically used to redirect to a record in another domain. For example, a target of ms.otherdomain.com. will be resolved exactly as written. If a valid A record exists for ms.otherdomain.com, the alias will resolve to that address.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    NS record

    The authoritative name server for the domain. Described in RFC 1035.

    Configuring the NS record

    Settings Guidelines

    Domain name

    The domain for which the name server has authoritative answers, such as example.com.

    Note: FortiAppSec Cloud supports third-party domain names.

    Hostname

    The hostname part of the FQDN.

    • Without a trailing dot in the Hostname: The hostname is treated as relative to the current domain and will be expanded automatically. In this case, an IPv4/IPv6 address is required for the Address IPv4/IPv6 field.

    • With a trailing dot in the Hostname: The hostname is treated as an absolute domain name and will be used exactly as entered. In this case, the Address IPv4/IPv6 field is not required and should remain 0.0.0.0.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    IP Type

    		 IPv4 / IPv6

    Address

    Specify the IP address of the name server.

    MX record

    Identifies a mail exchange for the domain with a 16-bit preference value (lower is better) followed by the host name of the mail exchange. Described in RFC 974, RFC 1035.

    Configuring the MX record

    Settings Guidelines

    Domain name

    The domain of the mail exchange server.

    Hostname

    The hostname part of the FQDN for a mail exchange server, such as mail.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    Priority

    Preference given to this RR among others at the same owner. Lower values have greater priority.

    IP type

    		 IPv4 / IPv6

    Address

    Specify the IP address.

    TXT record

    Described in RFC 1035.

    Configuring TXT record / NS record

    Settings Guidelines

    Name

    Hostname.

    TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records.

    Text

    Comma-separated list of name/value pairs.

    An example SPF record has the following form:

    v=spf1 +mx a:colo.example.com/28 -all

    If you complete the entry from the Web UI, do not put the string in quotes. (If you complete the entry from the CLI, you do put the string in quotes.)

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    SRV record

    Information about well-known network services (replaces WKS). Described in RFC 2782.

    Configuring the SRV record

    Settings Guidelines

    Hostname

    The host name part of the FQDN, e.g., www.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    Priority

    A priority assigned to the target host: the lower the value, the higher the priority.

    Weight

    A relative weight assigned to a record among records of the same priority: the greater the value, the more weight it carries.

    This value ranges from 1-255.

    Port

    The TCP or UDP port on which the service is provided.

    Target Name

    The canonical name of the machine providing the service.

    PTR record

    Resolves an IP address to a fully-qualified domain name.

    Configuring the PTR record

    Settings

    Guidelines
    PTR address

    A PTR address, such as 10.168.192.in-addr.arpa. or 1.

    Note: If you use the number, the domain name is in the format "x.x.x.in-addr.arpa."
    FQDN A fully qualified domain name, such as "www.example.com".

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    CAA Record

    A Certificate Authority Authorization (CAA) record is a type of DNS record that specifies which Certificate Authorities (CAs) are authorized to issue certificates for a specific domain. It acts as an additional layer of control to prevent unauthorized certificate issuance.

    A Certificate Authority (CA) sends a Certificate Authority Authorization (CAA) request to a DNS server during the domain validation process. This typically happens when:

    • A Certificate is Requested: When a user or entity requests an SSL/TLS certificate for a domain, the CA must verify that it is authorized to issue a certificate for that domain.

    • CAA Record Check is Performed: As part of the validation process, the CA performs a CAA lookup by querying the domain's DNS. This is done to check if the domain's DNS records include a CAA policy that specifies which CAs are authorized to issue certificates for the domain.

    • Before Certificate Issuance: The CA queries the DNS for the CAA record using a standard DNS query. If a CAA record is found, the CA ensures that it is listed as an authorized CA. If no CAA record exists, the CA assumes it is authorized to issue the certificate by default (as per current industry standards).

    If the DNS server returns a CAA record that does not authorize the CA to issue certificates for the domain, the CA will deny the certificate request.

    Configuring the CAA record

    Settings

    Guidelines

    Hostname

    The domain or subdomain to which the policy applies.

    If the zone record is `example.com.`, you can use a subdomain (e.g., `www`, `sub`) as the Hostname to add a CAA record for that subdomain. To add a CAA record for the root domain, use `@` as the hostname.

    Flags

    Default:No special enforcement—certificate requests proceed as usual.

    Critical: If the CA does not understand the record, it must reject the certificate request, preventing issuance.

    Tag

    A label that specifies the type of policy being defined.

    • issue: Specifies which CAs are authorized to issue certificates for the domain.

    • issuewild: Specifies which CAs are authorized to issue wildcard certificates for the domain.

    • iodef: Specifies a URL where certificate mis-issuance reports should be sent.

    Value

    The value associated with the tag.

    • For issue and issuewild, enter the domain name of the Certificate Authority (CA) authorized to issue certificates (e.g., letsencrypt.org). The maximum length is 253 characters.

    • For iodef, enter a URL where mis-issuance reports should be sent (e.g., mailto:admin@example.com or https://example.com/report). While there is no strict length limit, it is recommended to keep it within 253 characters.
    Previous
    Next

    DNS Zone Records

    DNS Zone Records

    In a DNS Zone, zone records (also known as resource records) define how your domain name maps to IP addresses and other resources.

    Add Records to a DNS Zone

    1. Navigate to GSLB > DNS.

    2. Locate the desired DNS zone, or create a new one by clicking Add Service. For instructions on creating a new DNS Zone, refer to Adding a DNS Zone.

    3. Click the three dots under the gear icon to expand actions, and select Manage Zone Record. This takes you to a page that lists the records associated with this zone.

    4. On this page, you have two options for adding Zone Records.

      1. Manually enter Record details

        1. Click Add Records.

        2. Select the type of record to add. See below for details on the various supported zone resource record types, as well as their specific configuration instructions.

      2. Import Zone File

        A zone file is a standardized plain text file that contains all the DNS resource records defining how your domain and its subdomains behave on the internet.

        Before importing a zone file, ensure proper zone configuration.

        Consider the following guidelines:

        • Zone file must comply with RFC standards and BIND format.

        • Record domain names in the zone file must match the hosted zone's name.

        • GSLB ignores SOA records in the zone file.

        • NS records and their corresponding A records for the configured zone domain are disregarded.

        • The imported zone file must not duplicate any records already present in the hosted zone, or the import process will fail.

        • Duplicate records in the imported zone file will also cause the import process to fail.

        • You can import up to 1024 zone records.

        Below is a sample zone file:

        $TTL 86400

        example.com. IN SOA ns1 admin (

        10004 ; serial

        3600 ; refresh

        900 ; retry

        3600000 ; expiry

        3600 ; minimum

        )

        example.com. IN NS ns1

        $ORIGIN example.com.

        ns1 86400 IN A 1.2.3.4

        mail 86400 IN A 192.0.2.2

        www 86400 IN A 192.0.2.1

        www.example.com 86400 IN CNAME example.com.

        sub.example.com 86400 IN MX 10 mail

        1. Click Import Zone File.
        2. Click Choose File and select your zone file.

    Supported Record types

    FortiAppSec GSLB supports the following resource record types. Support for secondary zone types is planned for a future release.

    A/AAAA record

    A host IPv4 or IPv6 address.

    Configuring the A/AAAA record

    Settings Guidelines

    hostname

    The hostname part of the FQDN, such as www.

    Note: You can specify the @ symbol to denote the zone root. The value substituted for @ is the preceding $ORIGIN directive.

    Source Type

    IPv4 / IPv6

    Address

    Specify the IP address of the virtual server.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    CNAME record

    Identifies the canonical name of an alias. Described in RFC 1035.

    Configuring the CNAME record

    Settings Guidelines

    Alias

    An alias name to another true or canonical domainname (the target). For instance, www.example.com is an alias for example.com.

    Note: Alias should not be the same as other records, nor should there be duplicate aliases for the same domain. Otherwise, the DNS service will fail.

    Target

    The canonical (true) domain name that the alias points to. For example, example.com.

    • Without a trailing dot in the Target: The CNAME is treated as relative to the current domain, and the DNS server will automatically append the domain name. For example, a target of ms would be interpreted as ms.example.com. If a valid A record exists for ms.example.com, requests will be resolved to that address.

    • With a trailing dot in the Target: The CNAME points to an absolute domain name, typically used to redirect to a record in another domain. For example, a target of ms.otherdomain.com. will be resolved exactly as written. If a valid A record exists for ms.otherdomain.com, the alias will resolve to that address.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    NS record

    The authoritative name server for the domain. Described in RFC 1035.

    Configuring the NS record

    Settings Guidelines

    Domain name

    The domain for which the name server has authoritative answers, such as example.com.

    Note: FortiAppSec Cloud supports third-party domain names.

    Hostname

    The hostname part of the FQDN.

    • Without a trailing dot in the Hostname: The hostname is treated as relative to the current domain and will be expanded automatically. In this case, an IPv4/IPv6 address is required for the Address IPv4/IPv6 field.

    • With a trailing dot in the Hostname: The hostname is treated as an absolute domain name and will be used exactly as entered. In this case, the Address IPv4/IPv6 field is not required and should remain 0.0.0.0.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    IP Type

    		 IPv4 / IPv6

    Address

    Specify the IP address of the name server.

    MX record

    Identifies a mail exchange for the domain with a 16-bit preference value (lower is better) followed by the host name of the mail exchange. Described in RFC 974, RFC 1035.

    Configuring the MX record

    Settings Guidelines

    Domain name

    The domain of the mail exchange server.

    Hostname

    The hostname part of the FQDN for a mail exchange server, such as mail.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    Priority

    Preference given to this RR among others at the same owner. Lower values have greater priority.

    IP type

    		 IPv4 / IPv6

    Address

    Specify the IP address.

    TXT record

    Described in RFC 1035.

    Configuring TXT record / NS record

    Settings Guidelines

    Name

    Hostname.

    TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records.

    Text

    Comma-separated list of name/value pairs.

    An example SPF record has the following form:

    v=spf1 +mx a:colo.example.com/28 -all

    If you complete the entry from the Web UI, do not put the string in quotes. (If you complete the entry from the CLI, you do put the string in quotes.)

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    SRV record

    Information about well-known network services (replaces WKS). Described in RFC 2782.

    Configuring the SRV record

    Settings Guidelines

    Hostname

    The host name part of the FQDN, e.g., www.

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    Priority

    A priority assigned to the target host: the lower the value, the higher the priority.

    Weight

    A relative weight assigned to a record among records of the same priority: the greater the value, the more weight it carries.

    This value ranges from 1-255.

    Port

    The TCP or UDP port on which the service is provided.

    Target Name

    The canonical name of the machine providing the service.

    PTR record

    Resolves an IP address to a fully-qualified domain name.

    Configuring the PTR record

    Settings

    Guidelines
    PTR address

    A PTR address, such as 10.168.192.in-addr.arpa. or 1.

    Note: If you use the number, the domain name is in the format "x.x.x.in-addr.arpa."
    FQDN A fully qualified domain name, such as "www.example.com".

    TTL

    The time-to-live of the Resource Records.

    A TTL of -1 indicates that the record inherits the TTL configured at the zone level.

    CAA Record

    A Certificate Authority Authorization (CAA) record is a type of DNS record that specifies which Certificate Authorities (CAs) are authorized to issue certificates for a specific domain. It acts as an additional layer of control to prevent unauthorized certificate issuance.

    A Certificate Authority (CA) sends a Certificate Authority Authorization (CAA) request to a DNS server during the domain validation process. This typically happens when:

    • A Certificate is Requested: When a user or entity requests an SSL/TLS certificate for a domain, the CA must verify that it is authorized to issue a certificate for that domain.

    • CAA Record Check is Performed: As part of the validation process, the CA performs a CAA lookup by querying the domain's DNS. This is done to check if the domain's DNS records include a CAA policy that specifies which CAs are authorized to issue certificates for the domain.

    • Before Certificate Issuance: The CA queries the DNS for the CAA record using a standard DNS query. If a CAA record is found, the CA ensures that it is listed as an authorized CA. If no CAA record exists, the CA assumes it is authorized to issue the certificate by default (as per current industry standards).

    If the DNS server returns a CAA record that does not authorize the CA to issue certificates for the domain, the CA will deny the certificate request.

    Configuring the CAA record

    Settings

    Guidelines

    Hostname

    The domain or subdomain to which the policy applies.

    If the zone record is `example.com.`, you can use a subdomain (e.g., `www`, `sub`) as the Hostname to add a CAA record for that subdomain. To add a CAA record for the root domain, use `@` as the hostname.

    Flags

    Default:No special enforcement—certificate requests proceed as usual.

    Critical: If the CA does not understand the record, it must reject the certificate request, preventing issuance.

    Tag

    A label that specifies the type of policy being defined.

    • issue: Specifies which CAs are authorized to issue certificates for the domain.

    • issuewild: Specifies which CAs are authorized to issue wildcard certificates for the domain.

    • iodef: Specifies a URL where certificate mis-issuance reports should be sent.

    Value

    The value associated with the tag.

    • For issue and issuewild, enter the domain name of the Certificate Authority (CA) authorized to issue certificates (e.g., letsencrypt.org). The maximum length is 253 characters.

    • For iodef, enter a URL where mis-issuance reports should be sent (e.g., mailto:admin@example.com or https://example.com/report). While there is no strict length limit, it is recommended to keep it within 253 characters.
    Previous
    Next