Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

DNS Settings

DNS Settings

The DNS Server setting in FortiSASE under Configuration > DNS is used by remote users to resolve hostnames for both internal and external domains.

  • Implicit DNS rules have been predefined for VPN users and for SWG and Thin-Edge users. These are used for resolving hostnames for external domains.

  • Split DNS rules can be created by clicking on the Create button. These are used for resolving hostnames for internal domains. See Split DNS Rules.

Note

FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay.

Implicit and split DNS rules for VPN traffic configured with internal IP addresses work with SPA hubs configured with any BGP routing design.

When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes.

See Network restrictions removed.

By default, FortiSASE deployments use FortiGuard DNS as the default DNS server for implicit DNS rules. You can select any implicit DNS rule and click Edit to change the default DNS server.

Note

FortiGuard DNS servers do not support DNS over TCP. If you require DNS over TCP, edit implicit DNS rules from the default FortiGuard DNS server to other DNS servers that support DNS over TCP.

You can configure Default DNS Server with one of the following options, then click OK to save the change:

DNS Server

Description

Primary and Secondary DNS Server IP Address
FortiGuard DNS

 Use FortiGuard DNS

96.45.45.45

96.45.45.46
Use endpoints' system DNS

 Use the system DNS setting already configured on the agent-based endpoints IP addresses specific to endpoints
Other DNS

 Use a public DNS server other than FortiGuard DNS IP addresses specific to public DNS server

CloudFlare

 Use the CloudFlare public DNS server

1.1.1.1

1.0.0.1

Custom

Enable to specify your own custom primary and secondary DNS servers.

Specify IP address of primary and secondary DNS.

Google

 Use the Google public DNS server

8.8.8.8

8.8.4.4

Quad 9

 Use the Quad 9 public DNS server

9.9.9.9

149.112.112.112

For example, you can edit the VPN implicit DNS rule to use a custom DNS server as follows:

To configure a custom DNS server:
  1. Go to Configuration > DNS, select VPN Implicit DNS Rule, and click Edit.
  2. In the Edit Implicit DNS Rule page, for Default DNS Server, select Other DNS.
  3. From the DNS Server dropdown, select Custom.

  4. In the Primary DNS Server and Secondary DNS Server fields, enter the respective IP addresses for the servers of your choice.

  5. Click OK.

Using FortiGuard DNS or another public DNS service is sufficient for most secure internet access (SIA) use cases that simply require remote users to resolve hostnames for external domains.

Previous
Next

DNS Settings

The DNS Server setting in FortiSASE under Configuration > DNS is used by remote users to resolve hostnames for both internal and external domains.

  • Implicit DNS rules have been predefined for VPN users and for SWG and Thin-Edge users. These are used for resolving hostnames for external domains.

  • Split DNS rules can be created by clicking on the Create button. These are used for resolving hostnames for internal domains. See Split DNS Rules.

Note

FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay.

Implicit and split DNS rules for VPN traffic configured with internal IP addresses work with SPA hubs configured with any BGP routing design.

When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes.

See Network restrictions removed.

By default, FortiSASE deployments use FortiGuard DNS as the default DNS server for implicit DNS rules. You can select any implicit DNS rule and click Edit to change the default DNS server.

Note

FortiGuard DNS servers do not support DNS over TCP. If you require DNS over TCP, edit implicit DNS rules from the default FortiGuard DNS server to other DNS servers that support DNS over TCP.

You can configure Default DNS Server with one of the following options, then click OK to save the change:

DNS Server

Description

Primary and Secondary DNS Server IP Address
FortiGuard DNS

 Use FortiGuard DNS

96.45.45.45

96.45.45.46
Use endpoints' system DNS

 Use the system DNS setting already configured on the agent-based endpoints IP addresses specific to endpoints
Other DNS

 Use a public DNS server other than FortiGuard DNS IP addresses specific to public DNS server

CloudFlare

 Use the CloudFlare public DNS server

1.1.1.1

1.0.0.1

Custom

Enable to specify your own custom primary and secondary DNS servers.

Specify IP address of primary and secondary DNS.

Google

 Use the Google public DNS server

8.8.8.8

8.8.4.4

Quad 9

 Use the Quad 9 public DNS server

9.9.9.9

149.112.112.112

For example, you can edit the VPN implicit DNS rule to use a custom DNS server as follows:

To configure a custom DNS server:
  1. Go to Configuration > DNS, select VPN Implicit DNS Rule, and click Edit.
  2. In the Edit Implicit DNS Rule page, for Default DNS Server, select Other DNS.
  3. From the DNS Server dropdown, select Custom.

  4. In the Primary DNS Server and Secondary DNS Server fields, enter the respective IP addresses for the servers of your choice.

  5. Click OK.

Using FortiGuard DNS or another public DNS service is sufficient for most secure internet access (SIA) use cases that simply require remote users to resolve hostnames for external domains.

Previous
Next