Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    DNS

    DNS

    This section covers the DNS services offered by FortiAppSec Cloud.

    GSLB, functioning as a DNS Service, can support both standard DNS zones and primary type zones.

    Adding a DNS Zone

    Add DNS zones to manage distinct areas in the DNS namespace. FortiAppSec Cloud GSLB supports adding up to 1024 DNS zones.

    Once you have added a DNS Zone, you can manage its DNS records to map your zone to various resource records.

    1. Navigate to GSLB > DNS.

    2. Click Add Service.

    3. Configure the following:

      Settings Guidelines

      Name

      Name of the zone.

      Type

      		 Primary—The configuration contains the “primary” copy of data for the zone and is the authoritative server for it.

      Domain Name

      The domain name must end with a period. For example: example.com.

      Responsible Mail

      Username of the person responsible for this zone, such as admin.example.com.

      This field uses a dot (.) instead of the @ symbol, as @ has a reserved meaning in zone files. For example, the address admin@example.com would be entered as admin.example.com.

      Note the trailing dot at the end — this is required to indicate an absolute domain name. If the trailing dot is omitted, the DNS server will automatically append the zone's domain name to the entry. For example, entering dns_admin would be interpreted as dns_admin.example.com. If the email address belongs to a different domain, make sure to include the full address with a trailing dot, such as dns_admin.otherdomain.com.

      Primary Server Name

      Sets the server name in the SOA (Start of Authority) record. This name is also required when creating the NS record for your domain.

      Using @ sets the server name to match the domain name exactly. If you want to specify a different domain name, include the full name with a trailing dot — for example, example.com. — to indicate an absolute domain name. If the trailing dot is omitted, the domain name will be automatically appended to whatever value you enter.

      Primary Server Address (IPv4)

      The IPv4 address of the primary server.

      Note: The address will append on the 'ADDITIONAL SECTION' of the query reply. In most cases is the GSLB DNS server IP address.

      Primary Server Address (IPv6)

      The IPv6 address of the primary server.

      Note: The IPv6 address will append on the 'ADDITIONAL SECTION' of the IPv6 type query reply. If you have another DNS server hosting the same domain and it supports IPv6, then put that IPv6 address, otherwise leave it empty.

      TTL

      The $TTL(Time-To-Live) is the length of time or “hops” that a packet may move through a network before being discarded by a router, or how long content or a query is retained in DNS and CDN caching.

      This entry sets a default TTL that applies to all resource records (RRs) in the file unless they explicitly define their own TTL.

      If unconfigured, the default TTL is 86,400. The valid range is 0 to 2,147,483,647.

      Negative TTL

      The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.

      DNSSEC

      Only enable DNSSEC when necessary. Click the DNSSEC toggle switch to enable DNSSEC, and then click Save.

      For detailed instructions on enabling DNSSEC on GSLB, please refer to How to enable DNSSEC on GSLB.

      Note: DNSSEC works with A/AAAA, CNAME, CAA, NS, MX, TXT, SRV and PTR records created in the Zone. It can also work with FQDN-generated A records, with the limitation that only one record will reply to the client for FQDN services.

      Region for log storage

      Select a region for storing DNS traffic logs.

      • Europe

      • USA

    4. If you have enabled DNSSEC, please see the following. If you have not enabled DNSSEC, feel free to skip this section.

      The DSSet (Delegation Signer Set) keys are used in DNSSEC to securely sign and validate the integrity of DNS records for domains, including those under sub-domains.

      Note: Before adding a DSSet, ensure the corresponding NS record exists and the key content is valid. If either condition is not met, the zone will fail to reload and will stop responding to queries.

      To configure DSSet, click Add DSSet and enter the following:

      Settings

      Guidelines

      Name

      Key name

      Key

      Paste the DSset file content. The content of DSset files is similar to the following:

      dns.example.com. IN DS 21961 5 1 6E6C2D5EBF440DB2C71A8191FF2772F58A434175

      dns.example.com. IN DS 21961 5 2 1B000131FCC68FF34441A710ACACDFD67350CF962260F47309321F8D 0551DADF

    Previous
    Next

    DNS

    DNS

    This section covers the DNS services offered by FortiAppSec Cloud.

    GSLB, functioning as a DNS Service, can support both standard DNS zones and primary type zones.

    Adding a DNS Zone

    Add DNS zones to manage distinct areas in the DNS namespace. FortiAppSec Cloud GSLB supports adding up to 1024 DNS zones.

    Once you have added a DNS Zone, you can manage its DNS records to map your zone to various resource records.

    1. Navigate to GSLB > DNS.

    2. Click Add Service.

    3. Configure the following:

      Settings Guidelines

      Name

      Name of the zone.

      Type

      		 Primary—The configuration contains the “primary” copy of data for the zone and is the authoritative server for it.

      Domain Name

      The domain name must end with a period. For example: example.com.

      Responsible Mail

      Username of the person responsible for this zone, such as admin.example.com.

      This field uses a dot (.) instead of the @ symbol, as @ has a reserved meaning in zone files. For example, the address admin@example.com would be entered as admin.example.com.

      Note the trailing dot at the end — this is required to indicate an absolute domain name. If the trailing dot is omitted, the DNS server will automatically append the zone's domain name to the entry. For example, entering dns_admin would be interpreted as dns_admin.example.com. If the email address belongs to a different domain, make sure to include the full address with a trailing dot, such as dns_admin.otherdomain.com.

      Primary Server Name

      Sets the server name in the SOA (Start of Authority) record. This name is also required when creating the NS record for your domain.

      Using @ sets the server name to match the domain name exactly. If you want to specify a different domain name, include the full name with a trailing dot — for example, example.com. — to indicate an absolute domain name. If the trailing dot is omitted, the domain name will be automatically appended to whatever value you enter.

      Primary Server Address (IPv4)

      The IPv4 address of the primary server.

      Note: The address will append on the 'ADDITIONAL SECTION' of the query reply. In most cases is the GSLB DNS server IP address.

      Primary Server Address (IPv6)

      The IPv6 address of the primary server.

      Note: The IPv6 address will append on the 'ADDITIONAL SECTION' of the IPv6 type query reply. If you have another DNS server hosting the same domain and it supports IPv6, then put that IPv6 address, otherwise leave it empty.

      TTL

      The $TTL(Time-To-Live) is the length of time or “hops” that a packet may move through a network before being discarded by a router, or how long content or a query is retained in DNS and CDN caching.

      This entry sets a default TTL that applies to all resource records (RRs) in the file unless they explicitly define their own TTL.

      If unconfigured, the default TTL is 86,400. The valid range is 0 to 2,147,483,647.

      Negative TTL

      The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.

      DNSSEC

      Only enable DNSSEC when necessary. Click the DNSSEC toggle switch to enable DNSSEC, and then click Save.

      For detailed instructions on enabling DNSSEC on GSLB, please refer to How to enable DNSSEC on GSLB.

      Note: DNSSEC works with A/AAAA, CNAME, CAA, NS, MX, TXT, SRV and PTR records created in the Zone. It can also work with FQDN-generated A records, with the limitation that only one record will reply to the client for FQDN services.

      Region for log storage

      Select a region for storing DNS traffic logs.

      • Europe

      • USA

    4. If you have enabled DNSSEC, please see the following. If you have not enabled DNSSEC, feel free to skip this section.

      The DSSet (Delegation Signer Set) keys are used in DNSSEC to securely sign and validate the integrity of DNS records for domains, including those under sub-domains.

      Note: Before adding a DSSet, ensure the corresponding NS record exists and the key content is valid. If either condition is not met, the zone will fail to reload and will stop responding to queries.

      To configure DSSet, click Add DSSet and enter the following:

      Settings

      Guidelines

      Name

      Key name

      Key

      Paste the DSset file content. The content of DSset files is similar to the following:

      dns.example.com. IN DS 21961 5 1 6E6C2D5EBF440DB2C71A8191FF2772F58A434175

      dns.example.com. IN DS 21961 5 2 1B000131FCC68FF34441A710ACACDFD67350CF962260F47309321F8D 0551DADF

    Previous
    Next