[FortiGate] How to configure DNS [Client/Server]

Firewall (UTM)
2021.11.23

Work environment

  • FortiGate 60E
    • version 7.0.1

DNS client settings

Set with GUI

Click Network > DNS.

By default, the FortiGuard server (208.91.112.53, 208.91.112.52) is used as the DNS server, as shown in the image above.

If you specify the DNS server manually, select Specify in the DNS servers field. Enter the IP address of your DNS server in the Primary DNS server and Secondary DNS server fields (if needed). Click Apply at the bottom of the screen.

Set with CLI

The CLI config for querying DNS server settings is config system dns.

The default config is as follows. (Use the FortiGuard server.)

FortiGate-60E # show full-configuration system dns
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
    set protocol cleartext
    set ssl-certificate "Fortinet_Factory"
    set ip6-primary ::
    set ip6-secondary ::
    set timeout 5
    set retry 2
    set dns-cache-limit 5000
    set dns-cache-ttl 1800
    set cache-notfound-responses disable
    set source-ip 0.0.0.0
    set interface-select-method auto
    set server-select-method least-rtt
    set alt-primary 0.0.0.0
    set alt-secondary 0.0.0.0
    set log disable
end

For example, the command to set the primary DNS server to 8.8.8.8 and the secondary DNS server to 8.8.4.4 is:

config system dns
    set primary 8.8.8.8
    set secondary 8.8.4.4
end

How to check the operation of domain name resolution

FortiGate doesn’t have a name resolution command like nslookup that you can use on Windows. Therefore, check whether the domain name can be resolved by specifying the domain name as the destination of the Ping command and executing it.

As an example, ping to google.com.

FortiGate-60E # execute ping google.com
PING google.com (142.251.42.142): 56 data bytes
64 bytes from 142.251.42.142: icmp_seq=0 ttl=114 time=44.4 ms
64 bytes from 142.251.42.142: icmp_seq=1 ttl=114 time=37.5 ms
64 bytes from 142.251.42.142: icmp_seq=2 ttl=114 time=47.0 ms
64 bytes from 142.251.42.142: icmp_seq=3 ttl=114 time=58.7 ms
64 bytes from 142.251.42.142: icmp_seq=4 ttl=114 time=48.7 ms

--- google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 37.5/47.2/58.7 ms

If the domain name resolution is successful, the IP address corresponding to the domain name will be displayed as shown above.

Make FortiGate act as a DNS server

Set with GUI

Open the System > Feature Visibility screen and enable DNS Database.

Click Network > DNS Servers. Click Create New in the DNS Service on Interface column.

Set each item on the screen below.

  • Interface: Specifies the interface that accepts DNS queries.
  • Mode:
    • Recursive: Shadow DNS database and forward.
    • None-Recursive: Public DNS database only.
    • Forward to System DNS: Forward only.

Click OK and confirm that the settings have been added.

Add a DNS database

You can add a DNS database (zone information).

Click Network > DNS Servers. Click Create New in the DNS Database column.

The following setting screen is displayed, so set each item.

  • Type: Primary
  • View: Shadow or Public
  • Authoritative: Disable if necessary (default is enabled)

If the View of the Zone is Shadow, domain name resolution is accepted only on the interface whose interface mode set in DNS Service on Interface is recursive.
On the other hand, if the View is Public, domain name resolution is accepted regardless of whether the interface mode is recursive or non-recursive.

You can add a DNS record by clicking Create New in the DNS Entries field.

When you come to the setting of each item, click OK at the bottom of the screen.

Confirm that the settings have been added.

As an operation test, execute the nslookup command on a Windows client that connects to FortiGate.

C:\WINDOWS\system32>nslookup hogeHost.hogedomain.com 10.10.10.1
サーバー:  UnKnown
Address:  10.10.10.1

権限のない回答:
名前:    hogeHost.hogedomain.com
Address:  10.20.30.40

Domain name resolution is successful.

Set with CLI

The CLI config for DNS Service on Interface in the GUI is config system dns-server.

FortiGate-60E # show full-configuration system dns-server
config system dns-server
    edit "dmz"
        set mode recursive
        set dnsfilter-profile ''
        set doh disable
    next
end

The CLI config for DNS Database in the GUI is config system dns-database.

FortiGate-60E # show full-configuration system dns-database
config system dns-database
    edit "HogeZone"
        set status enable
        set domain "hogedomain.com"
        set type primary
        set view shadow
        set ttl 86400
        set authoritative disable
        unset forwarder
        set source-ip 0.0.0.0
        config dns-entry
            edit 1
                set status enable
                set type A
                set ttl 0
                set hostname "hogehost"
                set ip 10.20.30.40
            next
        end
        unset allow-transfer
        set primary-name "hogeDNS"
        set contact "admin@sample.com"
    next
end

References

FortiGate DNS server | Administration Guide
docs.fortinet.com
https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/102620/config-system-dns-server
docs.fortinet.com
https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/101620/config-system-dns-database
docs.fortinet.com
FortiGate Mastery Web Book
Getting Started with FortiGate How to access the GUI of factory default FortiGate Basic knowledge about configuration co...
network-knowledge.work
2021.11.01
スポンサーリンク

Comments

  1. bonar says:
    2023-04-18 at 11:49

    On my fortigate, I can’t find System > Feature Visibility > enable DNS Database.

    Is it hardware limitation or FortiOS limitation? I use FG-101F v 7.0.11

    Reply
Copied title and URL