Fortinet white logo
Fortinet white logo

CLI Reference

config system dns

config system dns

Configure DNS.

config system dns

Description: Configure DNS.

set primary {ipv4-address}

set secondary {ipv4-address}

set protocol {option1}, {option2}, ...

set ssl-certificate {string}

set server-hostname <hostname1>, <hostname2>, ...

set domain <domain1>, <domain2>, ...

set ip6-primary {ipv6-address}

set ip6-secondary {ipv6-address}

set timeout {integer}

set retry {integer}

set dns-cache-limit {integer}

set dns-cache-ttl {integer}

set cache-notfound-responses [disable|enable]

set source-ip {ipv4-address}

set interface-select-method [auto|sdwan|...]

set interface {string}

set server-select-method [least-rtt|failover]

set alt-primary {ipv4-address}

set alt-secondary {ipv4-address}

set log [disable|error|...]

set fqdn-cache-ttl {integer}

set fqdn-min-refresh {integer}

end

config system dns

Parameter

Description

Type

Size

Default

primary

Primary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

secondary

Secondary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

protocol

DNS transport protocols.

option

-

cleartext

Option

Description

cleartext

DNS over UDP/53, DNS over TCP/53.

dot

DNS over TLS/853.

doh

DNS over HTTPS/443.

ssl-certificate

Name of local certificate for SSL connections.

string

Not Specified

Fortinet_Factory

server-hostname <hostname>

DNS server host name list.

DNS server host name list separated by space (maximum 4 domains).

string

Maximum length: 127

domain <domain>

Search suffix list for hostname lookup.

DNS search domain list separated by space (maximum 8 domains).

string

Maximum length: 127

ip6-primary

Primary DNS server IPv6 address.

ipv6-address

Not Specified

::

ip6-secondary

Secondary DNS server IPv6 address.

ipv6-address

Not Specified

::

timeout

DNS query timeout interval in seconds .

integer

Minimum value: 1 Maximum value: 10

5

retry

Number of times to retry .

integer

Minimum value: 0 Maximum value: 5

2

dns-cache-limit

Maximum number of records in the DNS cache.

integer

Minimum value: 0 Maximum value: 4294967295

5000

dns-cache-ttl

Duration in seconds that the DNS cache retains information.

integer

Minimum value: 60 Maximum value: 86400

1800

cache-notfound-responses

Enable/disable response from the DNS server when a record is not in cache.

option

-

disable

Option

Description

disable

Disable cache NOTFOUND responses from DNS server.

enable

Enable cache NOTFOUND responses from DNS server.

source-ip

IP address used by the DNS server as its source IP.

ipv4-address

Not Specified

0.0.0.0

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Not Specified

server-select-method

Specify how configured servers are prioritized.

option

-

least-rtt

Option

Description

least-rtt

Select servers based on least round trip time.

failover

Select servers based on the order they are configured.

alt-primary

Alternate primary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

alt-secondary

Alternate secondary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

log

Local DNS log setting.

option

-

disable

Option

Description

disable

Disable.

error

Enable local DNS error log.

all

Enable local DNS log.

fqdn-cache-ttl

FQDN cache time to live in seconds .

integer

Minimum value: 0 Maximum value: 86400

0

fqdn-min-refresh

FQDN cache minimum refresh time in seconds .

integer

Minimum value: 10 Maximum value: 3600

60

config system dns

config system dns

Configure DNS.

config system dns

Description: Configure DNS.

set primary {ipv4-address}

set secondary {ipv4-address}

set protocol {option1}, {option2}, ...

set ssl-certificate {string}

set server-hostname <hostname1>, <hostname2>, ...

set domain <domain1>, <domain2>, ...

set ip6-primary {ipv6-address}

set ip6-secondary {ipv6-address}

set timeout {integer}

set retry {integer}

set dns-cache-limit {integer}

set dns-cache-ttl {integer}

set cache-notfound-responses [disable|enable]

set source-ip {ipv4-address}

set interface-select-method [auto|sdwan|...]

set interface {string}

set server-select-method [least-rtt|failover]

set alt-primary {ipv4-address}

set alt-secondary {ipv4-address}

set log [disable|error|...]

set fqdn-cache-ttl {integer}

set fqdn-min-refresh {integer}

end

config system dns

Parameter

Description

Type

Size

Default

primary

Primary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

secondary

Secondary DNS server IP address.

ipv4-address

Not Specified

0.0.0.0

protocol

DNS transport protocols.

option

-

cleartext

Option

Description

cleartext

DNS over UDP/53, DNS over TCP/53.

dot

DNS over TLS/853.

doh

DNS over HTTPS/443.

ssl-certificate

Name of local certificate for SSL connections.

string

Not Specified

Fortinet_Factory

server-hostname <hostname>

DNS server host name list.

DNS server host name list separated by space (maximum 4 domains).

string

Maximum length: 127

domain <domain>

Search suffix list for hostname lookup.

DNS search domain list separated by space (maximum 8 domains).

string

Maximum length: 127

ip6-primary

Primary DNS server IPv6 address.

ipv6-address

Not Specified

::

ip6-secondary

Secondary DNS server IPv6 address.

ipv6-address

Not Specified

::

timeout

DNS query timeout interval in seconds .

integer

Minimum value: 1 Maximum value: 10

5

retry

Number of times to retry .

integer

Minimum value: 0 Maximum value: 5

2

dns-cache-limit

Maximum number of records in the DNS cache.

integer

Minimum value: 0 Maximum value: 4294967295

5000

dns-cache-ttl

Duration in seconds that the DNS cache retains information.

integer

Minimum value: 60 Maximum value: 86400

1800

cache-notfound-responses

Enable/disable response from the DNS server when a record is not in cache.

option

-

disable

Option

Description

disable

Disable cache NOTFOUND responses from DNS server.

enable

Enable cache NOTFOUND responses from DNS server.

source-ip

IP address used by the DNS server as its source IP.

ipv4-address

Not Specified

0.0.0.0

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Not Specified

server-select-method

Specify how configured servers are prioritized.

option

-

least-rtt

Option

Description

least-rtt

Select servers based on least round trip time.

failover

Select servers based on the order they are configured.

alt-primary

Alternate primary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

alt-secondary

Alternate secondary DNS server. This is not used as a failover DNS server.

ipv4-address

Not Specified

0.0.0.0

log

Local DNS log setting.

option

-

disable

Option

Description

disable

Disable.

error

Enable local DNS error log.

all

Enable local DNS log.

fqdn-cache-ttl

FQDN cache time to live in seconds .

integer

Minimum value: 0 Maximum value: 86400

0

fqdn-min-refresh

FQDN cache minimum refresh time in seconds .

integer

Minimum value: 10 Maximum value: 3600

60