Work environment
- FortiGate 60E
- version 7.0.1
DNS client settings
Set with GUI
Click Network > DNS.
By default, the FortiGuard server (208.91.112.53, 208.91.112.52) is used as the DNS server, as shown in the image above.
If you specify the DNS server manually, select Specify in the DNS servers field. Enter the IP address of your DNS server in the Primary DNS server and Secondary DNS server fields (if needed). Click Apply at the bottom of the screen.
Set with CLI
The CLI config for querying DNS server settings is config system dns
.
The default config is as follows. (Use the FortiGuard server.)
FortiGate-60E # show full-configuration system dns
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
set protocol cleartext
set ssl-certificate "Fortinet_Factory"
set ip6-primary ::
set ip6-secondary ::
set timeout 5
set retry 2
set dns-cache-limit 5000
set dns-cache-ttl 1800
set cache-notfound-responses disable
set source-ip 0.0.0.0
set interface-select-method auto
set server-select-method least-rtt
set alt-primary 0.0.0.0
set alt-secondary 0.0.0.0
set log disable
end
For example, the command to set the primary DNS server to 8.8.8.8 and the secondary DNS server to 8.8.4.4 is:
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
end
How to check the operation of domain name resolution
FortiGate doesn’t have a name resolution command like nslookup that you can use on Windows. Therefore, check whether the domain name can be resolved by specifying the domain name as the destination of the Ping command and executing it.
As an example, ping to google.com.
FortiGate-60E # execute ping google.com
PING google.com (142.251.42.142): 56 data bytes
64 bytes from 142.251.42.142: icmp_seq=0 ttl=114 time=44.4 ms
64 bytes from 142.251.42.142: icmp_seq=1 ttl=114 time=37.5 ms
64 bytes from 142.251.42.142: icmp_seq=2 ttl=114 time=47.0 ms
64 bytes from 142.251.42.142: icmp_seq=3 ttl=114 time=58.7 ms
64 bytes from 142.251.42.142: icmp_seq=4 ttl=114 time=48.7 ms
--- google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 37.5/47.2/58.7 ms
If the domain name resolution is successful, the IP address corresponding to the domain name will be displayed as shown above.
Make FortiGate act as a DNS server
Set with GUI
Open the System > Feature Visibility screen and enable DNS Database.
Click Network > DNS Servers. Click Create New in the DNS Service on Interface column.
Set each item on the screen below.
- Interface: Specifies the interface that accepts DNS queries.
- Mode:
- Recursive: Shadow DNS database and forward.
- None-Recursive: Public DNS database only.
- Forward to System DNS: Forward only.
Click OK and confirm that the settings have been added.
Add a DNS database
You can add a DNS database (zone information).
Click Network > DNS Servers. Click Create New in the DNS Database column.
The following setting screen is displayed, so set each item.
- Type: Primary
- View: Shadow or Public
- Authoritative: Disable if necessary (default is enabled)
You can add a DNS record by clicking Create New in the DNS Entries field.
When you come to the setting of each item, click OK at the bottom of the screen.
Confirm that the settings have been added.
As an operation test, execute the nslookup command on a Windows client that connects to FortiGate.
C:\WINDOWS\system32>nslookup hogeHost.hogedomain.com 10.10.10.1
サーバー: UnKnown
Address: 10.10.10.1
権限のない回答:
名前: hogeHost.hogedomain.com
Address: 10.20.30.40
Domain name resolution is successful.
Set with CLI
The CLI config for DNS Service on Interface in the GUI is config system dns-server
.
FortiGate-60E # show full-configuration system dns-server
config system dns-server
edit "dmz"
set mode recursive
set dnsfilter-profile ''
set doh disable
next
end
The CLI config for DNS Database in the GUI is config system dns-database
.
FortiGate-60E # show full-configuration system dns-database
config system dns-database
edit "HogeZone"
set status enable
set domain "hogedomain.com"
set type primary
set view shadow
set ttl 86400
set authoritative disable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set status enable
set type A
set ttl 0
set hostname "hogehost"
set ip 10.20.30.40
next
end
unset allow-transfer
set primary-name "hogeDNS"
set contact "admin@sample.com"
next
end
Comments
On my fortigate, I can’t find System > Feature Visibility > enable DNS Database.
Is it hardware limitation or FortiOS limitation? I use FG-101F v 7.0.11