Fortinet black logo

Handbook

DNS

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:646332
Download PDF

DNS

A Domain Name System (DNS) server is a public service that converts symbolic node names to IP addresses. A DNS server implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with their computer IP addresses. This allows you to use readable locations, such as fortinet.com, when you browse the Internet. FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.

FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP.

Within FortiOS, there are two DNS configuration options. Each option provides a specific service and both options can work together to provide a complete DNS solution.

DNS settings

You configure basic DNS queries on interfaces that connect to the Internet. When a user requests a website, FortiGate looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to complete the transaction.

You configure DNS server addresses by selecting Network > DNS, and then specifying the DNS server addresses. These addresses are typically supplied by your ISP. If you have local Microsoft domains on the network, you can enter a domain name in the Local Domain Name field.

In a situation where all three fields are configured, FortiGate first looks to the local domain. If no match is found, FortiGate sends a request to the external DNS servers.

If virtual domains (VDOM) are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.

Additional DNS CLI configuration

Additional DNS configuration options are available in the CLI, using the config system dns command. Within this command, you can also set the following commands:

Command

Description

dns-cache-limit

Set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.

dns-cache-ttl

Set how long entries remain in the cache, in seconds. Possible values are 60 to 86400 (default is 24 hours).

cache-notfound-responses

When you enable this, any DNS requests that are returned with NOT FOUND can be stored in the cache.

source-ip

Define a dedicated IP address for communications with the DNS server.

DDNS

If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

You can configure FortiGuard as the DDNS server, in the FortiGate GUI or CLI.

To configure FortiGuard as the DDNS server in the FortiGate GUI, select Network > DNS and enable FortiGuard DDNS. Then select the interface with the dynamic connection, which DDNS server you have an account with, your domain name, and account information. If your DDNS server isn't on the list, there is a generic option where you can provide your DDNS server information.

To configure FortiGuard as the DDNS server - CLI:

config system fortiguard

set ddns-server-ip

set ddns-server-port

end

If you don't have a FortiGuard subscription or want to use a different DDNS server, you can configure DDNS in the CLI. You can configure a DDNS for each interface. Only the first configured port appears in the FortiGate GUI. Additional commands vary depending on the DDNS server you select. Use the following CLI commands:

config system ddns

edit <DDNS_ID>

set monitor-interface <external_interface>

set ddns-server <ddns_server_selection>

next

end

Configuring FortiGate to refresh DDNS IP addresses

You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured.

To configure FortiGate to refresh DDNS IP addresses - CLI:

config system ddns

edit <1>

set ddns-server FortiGuardDDNS

set use-public-ip enable

set update-interval seconds

next

end

The possible values for update-interval are 60 to 2592000 seconds, and the default is 300 seconds.

TLS support for DDNS updates

When cleartext is disabled, FortiGate uses the SSL connection to send and receive Dynamic DNS services (DDNS) updates.

To disable cleartext - CLI:

config system ddns

set clear-text disable

end

You can also set the ssl-certificate name in the same location, using the following command:

set ssl-certificate <cert_name>

DDNS update override for DHCP

DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDS update of the AA field every time, even if the DHCP client does not request it. This allows the support of the allow/ignore/deny client-updates options.

To enable DDNS update override - CLI:

config system dhcp server

edit <0>

set ddns-update_override enable

next

end

FortiDDNS registration to a public IP address

Fortinet's Dynamic DNS services (FortiDDNS) can be registered to a public IP address even if the FortiGate model doesn't have any physical interfaces on the Internet. This applies to when the FortiGate is behind other networking devices that are employing NAT. You can configure this in the GUI and the CLI.

DNS servers

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (primary DNS server) or use it as a jumping point, where the server refers to an outside source (secondary DNS server). A local primary DNS server works similarly to the DNS server addresses configured in Network > DNS, but you must manually add all entries. This allows you to add a local DNS server to include specific URL and IP address combinations.

The DNS server options are not visible in the FortiGate GUI, by default. To enable the server, select System > Feature Visibility, select DNS Database, and select Apply.

While a primary DNS server is an easy method to include regularly used addresses to save on going to an outside DNS server, it isn't recommended to make it the authoritative DNS server. IP addresses may change and maintaining any type of list can become labor-intensive.

It's best to use a FortiGate primary DNS server for local services. For example, a company has a web server in their DMZ that internal users (employees) and external users (customers or remote employees) access. When internal users access a website, a request for the website is sent out to the DNS server on the Internet, which then returns an IP address or virtual IP address. After the company configures an internal DNS server, the same website request is resolved internally to the internal web server IP address. This minimizes inbound and outbound traffic, and access time.

As a secondary DNS server, a FortiGate refers to an external or alternate source as a way to obtain the URL and IP address combination. This is useful if there is a primary DNS server for a large company, where a list is maintained. Satellite offices can then connect to the primary DNS server to obtain the correct addressing.

The DNS server entries don't allow CNAME entries, as per RFC 1912, section 2.4.

Configure a primary DNS server - GUI:
  1. Select Network > DNS Servers, and select Create New for DNS Database.
  2. Select the Type of Master.
  3. Select the View as Shadow.
  4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.
  5. Enter the DNS Zone, for example, WebServer.
  6. Enter the Domain Name for the zone, for example example.com.
  7. In the Hostname of Primary Master field, enter the hostname of the DNS server, for example, Corporate.
  8. In the Contact Email Address field, enter the contact address for the administrator, for example, admin@example.com.
  9. Disable the Authoritative option.
  10. Select OK.
  11. Enter the DNS entries for the server by selecting Create New.
  12. Select the Type, for example, Address (A).
  13. Enter the Hostname, for example web.example.com.
  14. Enter the remaining information, which varies depending on the Type selected.
  15. Select OK.
Configure a primary DNS server - CLI:

config system dns-database

edit WebServer

set domain example.com

set type master

set view shadow

set ttl 86400

set primary-name corporate

set contact admin@exmple.com

set authoritative disable

config dns-entry

edit 1

set hostname web.example.com

set type A

set ip 192.168.21.12

set status enable

next

next

next

next

end

Configuring a recursive DNS

You can set an option to ensure this type of DNS server isn't the authoritative server. When configured, a FortiGate checks its internal DNS server (primary or secondary). If the request can't be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have a FortiGate look to an internal server if the primary or secondary doesn't fulfill the request, using the following CLI commands:

config system dns-database

edit example.com

...

set view shadow

next

end

For this behavior to work completely, you must set the DNS query for the external interface to be recursive.

To configure a recursive DNS - GUI:
  1. Go to Network > DNS Servers, and select Create New for DNS Service on Interface.
  2. Select the Interface.
  3. Select the Mode to Recursive.
  4. Select OK.
To configure a recursive DNS - CLI:

config system dns-server

edit wan1

set mode recursive

next

end

Configuring IPv6 Router Advertisement options for DNS configuration

FortiGate supports the following RFC 6106 IPv6 Router Advertisement options:

  • Obtaining DNS search list options from upstream DHCPv6 servers
  • Sending the DNS search list through Router Advertisement
  • Sending the DNS search list through the FortiGate DHCP server
  • Sending DNS search list option to downstream clients with Router Advertisements that use a static prefix (FortiOS version 5.6.1 and later)
  • Sending recursive DNS server option to downstream clients with Router Advertisements that use a static prefix (FortiOS version 5.6.1 and later)
To obtain the DNS search list options from upstream DHCPv6 servers - CLI:

config system interface

edit wan1

config ipv6

set dhcp6-prefix-delegation enable

next

next

end

To send DNS search lists through Router Advertisement - CLI:

config system interface

edit port 1

config IPv6

set ip6-address 2001:10::/64

set ip6-mode static

set ip6-send-adv enable

config ip6-delegated-prefix-list

edit 1

set upstream-interface WAN

set subnet 0:0:0:11::/64

set autonomous-flag enable

set onlink-flag enable

next

next

next

end

To send the DNS search lists through the FortiGate DHCP server - CLI:

You can use the dns-search-list delegated command to send DNS search list option to downstream clients with Router Advertisements that use a static prefix.

config system dhcp6 server

edit 1

set interface port2

set upstream-interface WAN

set ip-mode delegated

set dns-service delegated

set dns-search-list delegated

set subnet 0:0:0:12::/64

next

end

To send DNS search list option to downstream clients with Router Advertisements that use a static prefix - CLI:

You can use the set dnssl <DNS search list option> command to send DNS search list option to downstream clients with Router Advertisements that use a static prefix.

config system interface

edit port1

config ipv6

config ip6-prefix-list

edit <2001:db8::/64>

set autonomous-flag enable

set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72

set dnssl <DNS search list option>

next

next

next

next

end

To send recursive DNS server option to downstream clients with Router Advertisements that use a static prefix - CLI:

You can use the set rdnss <recursive DNS search option> command to send Recursive DNS server option to downstream clients with Router Advertisements that use a static prefix.

config system interface

edit port1

config ipv6

config ip6-prefix-list

edit <2001:db8::/64>

set autonomous-flag enable

set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72

set dnssl <DNS search list option>

next

next

next

next

end

Internet services

The Internet Service Database (ISDB) is a database that contains a list of IP addresses, IP protocols, and port numbers that are used by the most common Internet services.

The IP Reputation Database (IRDB) is a database that’s populated by the FortiGuard IP Reputation Service which aggregates malicious source IP data from the Fortinet distributed network of threat sensors and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. You can select categories, such as Proxy IP, Spam, and TOR Exit Node, to see specific information about each category.

A FortiGate regularly updates new versions of both the ISDB and IRDB from FortiGuard.

To view the ISDB - GUI:
  1. Go to Policy & Objects > Internet Service Database.
  2. In the Name column, expand Internet Service Database.
To view the IRDB - GUI:
  1. Go to Policy & Objects > Internet Service Database.
  2. In the Name column, expand IP Reputation Database.

You can use Internet services as a source in firewall policies. You can also use Internet services as a source and destination in traffic shaping policies.

DNS

A Domain Name System (DNS) server is a public service that converts symbolic node names to IP addresses. A DNS server implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with their computer IP addresses. This allows you to use readable locations, such as fortinet.com, when you browse the Internet. FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.

FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP.

Within FortiOS, there are two DNS configuration options. Each option provides a specific service and both options can work together to provide a complete DNS solution.

DNS settings

You configure basic DNS queries on interfaces that connect to the Internet. When a user requests a website, FortiGate looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to complete the transaction.

You configure DNS server addresses by selecting Network > DNS, and then specifying the DNS server addresses. These addresses are typically supplied by your ISP. If you have local Microsoft domains on the network, you can enter a domain name in the Local Domain Name field.

In a situation where all three fields are configured, FortiGate first looks to the local domain. If no match is found, FortiGate sends a request to the external DNS servers.

If virtual domains (VDOM) are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.

Additional DNS CLI configuration

Additional DNS configuration options are available in the CLI, using the config system dns command. Within this command, you can also set the following commands:

Command

Description

dns-cache-limit

Set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.

dns-cache-ttl

Set how long entries remain in the cache, in seconds. Possible values are 60 to 86400 (default is 24 hours).

cache-notfound-responses

When you enable this, any DNS requests that are returned with NOT FOUND can be stored in the cache.

source-ip

Define a dedicated IP address for communications with the DNS server.

DDNS

If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

You can configure FortiGuard as the DDNS server, in the FortiGate GUI or CLI.

To configure FortiGuard as the DDNS server in the FortiGate GUI, select Network > DNS and enable FortiGuard DDNS. Then select the interface with the dynamic connection, which DDNS server you have an account with, your domain name, and account information. If your DDNS server isn't on the list, there is a generic option where you can provide your DDNS server information.

To configure FortiGuard as the DDNS server - CLI:

config system fortiguard

set ddns-server-ip

set ddns-server-port

end

If you don't have a FortiGuard subscription or want to use a different DDNS server, you can configure DDNS in the CLI. You can configure a DDNS for each interface. Only the first configured port appears in the FortiGate GUI. Additional commands vary depending on the DDNS server you select. Use the following CLI commands:

config system ddns

edit <DDNS_ID>

set monitor-interface <external_interface>

set ddns-server <ddns_server_selection>

next

end

Configuring FortiGate to refresh DDNS IP addresses

You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured.

To configure FortiGate to refresh DDNS IP addresses - CLI:

config system ddns

edit <1>

set ddns-server FortiGuardDDNS

set use-public-ip enable

set update-interval seconds

next

end

The possible values for update-interval are 60 to 2592000 seconds, and the default is 300 seconds.

TLS support for DDNS updates

When cleartext is disabled, FortiGate uses the SSL connection to send and receive Dynamic DNS services (DDNS) updates.

To disable cleartext - CLI:

config system ddns

set clear-text disable

end

You can also set the ssl-certificate name in the same location, using the following command:

set ssl-certificate <cert_name>

DDNS update override for DHCP

DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDS update of the AA field every time, even if the DHCP client does not request it. This allows the support of the allow/ignore/deny client-updates options.

To enable DDNS update override - CLI:

config system dhcp server

edit <0>

set ddns-update_override enable

next

end

FortiDDNS registration to a public IP address

Fortinet's Dynamic DNS services (FortiDDNS) can be registered to a public IP address even if the FortiGate model doesn't have any physical interfaces on the Internet. This applies to when the FortiGate is behind other networking devices that are employing NAT. You can configure this in the GUI and the CLI.

DNS servers

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (primary DNS server) or use it as a jumping point, where the server refers to an outside source (secondary DNS server). A local primary DNS server works similarly to the DNS server addresses configured in Network > DNS, but you must manually add all entries. This allows you to add a local DNS server to include specific URL and IP address combinations.

The DNS server options are not visible in the FortiGate GUI, by default. To enable the server, select System > Feature Visibility, select DNS Database, and select Apply.

While a primary DNS server is an easy method to include regularly used addresses to save on going to an outside DNS server, it isn't recommended to make it the authoritative DNS server. IP addresses may change and maintaining any type of list can become labor-intensive.

It's best to use a FortiGate primary DNS server for local services. For example, a company has a web server in their DMZ that internal users (employees) and external users (customers or remote employees) access. When internal users access a website, a request for the website is sent out to the DNS server on the Internet, which then returns an IP address or virtual IP address. After the company configures an internal DNS server, the same website request is resolved internally to the internal web server IP address. This minimizes inbound and outbound traffic, and access time.

As a secondary DNS server, a FortiGate refers to an external or alternate source as a way to obtain the URL and IP address combination. This is useful if there is a primary DNS server for a large company, where a list is maintained. Satellite offices can then connect to the primary DNS server to obtain the correct addressing.

The DNS server entries don't allow CNAME entries, as per RFC 1912, section 2.4.

Configure a primary DNS server - GUI:
  1. Select Network > DNS Servers, and select Create New for DNS Database.
  2. Select the Type of Master.
  3. Select the View as Shadow.
  4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.
  5. Enter the DNS Zone, for example, WebServer.
  6. Enter the Domain Name for the zone, for example example.com.
  7. In the Hostname of Primary Master field, enter the hostname of the DNS server, for example, Corporate.
  8. In the Contact Email Address field, enter the contact address for the administrator, for example, admin@example.com.
  9. Disable the Authoritative option.
  10. Select OK.
  11. Enter the DNS entries for the server by selecting Create New.
  12. Select the Type, for example, Address (A).
  13. Enter the Hostname, for example web.example.com.
  14. Enter the remaining information, which varies depending on the Type selected.
  15. Select OK.
Configure a primary DNS server - CLI:

config system dns-database

edit WebServer

set domain example.com

set type master

set view shadow

set ttl 86400

set primary-name corporate

set contact admin@exmple.com

set authoritative disable

config dns-entry

edit 1

set hostname web.example.com

set type A

set ip 192.168.21.12

set status enable

next

next

next

next

end

Configuring a recursive DNS

You can set an option to ensure this type of DNS server isn't the authoritative server. When configured, a FortiGate checks its internal DNS server (primary or secondary). If the request can't be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have a FortiGate look to an internal server if the primary or secondary doesn't fulfill the request, using the following CLI commands:

config system dns-database

edit example.com

...

set view shadow

next

end

For this behavior to work completely, you must set the DNS query for the external interface to be recursive.

To configure a recursive DNS - GUI:
  1. Go to Network > DNS Servers, and select Create New for DNS Service on Interface.
  2. Select the Interface.
  3. Select the Mode to Recursive.
  4. Select OK.
To configure a recursive DNS - CLI:

config system dns-server

edit wan1

set mode recursive

next

end

Configuring IPv6 Router Advertisement options for DNS configuration

FortiGate supports the following RFC 6106 IPv6 Router Advertisement options:

  • Obtaining DNS search list options from upstream DHCPv6 servers
  • Sending the DNS search list through Router Advertisement
  • Sending the DNS search list through the FortiGate DHCP server
  • Sending DNS search list option to downstream clients with Router Advertisements that use a static prefix (FortiOS version 5.6.1 and later)
  • Sending recursive DNS server option to downstream clients with Router Advertisements that use a static prefix (FortiOS version 5.6.1 and later)
To obtain the DNS search list options from upstream DHCPv6 servers - CLI:

config system interface

edit wan1

config ipv6

set dhcp6-prefix-delegation enable

next

next

end

To send DNS search lists through Router Advertisement - CLI:

config system interface

edit port 1

config IPv6

set ip6-address 2001:10::/64

set ip6-mode static

set ip6-send-adv enable

config ip6-delegated-prefix-list

edit 1

set upstream-interface WAN

set subnet 0:0:0:11::/64

set autonomous-flag enable

set onlink-flag enable

next

next

next

end

To send the DNS search lists through the FortiGate DHCP server - CLI:

You can use the dns-search-list delegated command to send DNS search list option to downstream clients with Router Advertisements that use a static prefix.

config system dhcp6 server

edit 1

set interface port2

set upstream-interface WAN

set ip-mode delegated

set dns-service delegated

set dns-search-list delegated

set subnet 0:0:0:12::/64

next

end

To send DNS search list option to downstream clients with Router Advertisements that use a static prefix - CLI:

You can use the set dnssl <DNS search list option> command to send DNS search list option to downstream clients with Router Advertisements that use a static prefix.

config system interface

edit port1

config ipv6

config ip6-prefix-list

edit <2001:db8::/64>

set autonomous-flag enable

set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72

set dnssl <DNS search list option>

next

next

next

next

end

To send recursive DNS server option to downstream clients with Router Advertisements that use a static prefix - CLI:

You can use the set rdnss <recursive DNS search option> command to send Recursive DNS server option to downstream clients with Router Advertisements that use a static prefix.

config system interface

edit port1

config ipv6

config ip6-prefix-list

edit <2001:db8::/64>

set autonomous-flag enable

set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72

set dnssl <DNS search list option>

next

next

next

next

end

Internet services

The Internet Service Database (ISDB) is a database that contains a list of IP addresses, IP protocols, and port numbers that are used by the most common Internet services.

The IP Reputation Database (IRDB) is a database that’s populated by the FortiGuard IP Reputation Service which aggregates malicious source IP data from the Fortinet distributed network of threat sensors and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. You can select categories, such as Proxy IP, Spam, and TOR Exit Node, to see specific information about each category.

A FortiGate regularly updates new versions of both the ISDB and IRDB from FortiGuard.

To view the ISDB - GUI:
  1. Go to Policy & Objects > Internet Service Database.
  2. In the Name column, expand Internet Service Database.
To view the IRDB - GUI:
  1. Go to Policy & Objects > Internet Service Database.
  2. In the Name column, expand IP Reputation Database.

You can use Internet services as a source in firewall policies. You can also use Internet services as a source and destination in traffic shaping policies.