- FortiGate 60E
- version 7.0.1
DNS client settings
Set with GUI
Click Network > DNS.
By default, the FortiGuard server (18.104.22.168, 22.214.171.124) is used as the DNS server, as shown in the image above.
If you specify the DNS server manually, select Specify in the DNS servers field. Enter the IP address of your DNS server in the Primary DNS server and Secondary DNS server fields (if needed). Click Apply at the bottom of the screen.
Set with CLI
The CLI config for querying DNS server settings is
config system dns.
The default config is as follows. (Use the FortiGuard server.)
FortiGate-60E # show full-configuration system dns config system dns set primary 126.96.36.199 set secondary 188.8.131.52 set protocol cleartext set ssl-certificate "Fortinet_Factory" set ip6-primary :: set ip6-secondary :: set timeout 5 set retry 2 set dns-cache-limit 5000 set dns-cache-ttl 1800 set cache-notfound-responses disable set source-ip 0.0.0.0 set interface-select-method auto set server-select-method least-rtt set alt-primary 0.0.0.0 set alt-secondary 0.0.0.0 set log disable end
For example, the command to set the primary DNS server to 184.108.40.206 and the secondary DNS server to 220.127.116.11 is:
config system dns set primary 18.104.22.168 set secondary 22.214.171.124 end
How to check the operation of domain name resolution
FortiGate doesn’t have a name resolution command like nslookup that you can use on Windows. Therefore, check whether the domain name can be resolved by specifying the domain name as the destination of the Ping command and executing it.
As an example, ping to google.com.
FortiGate-60E # execute ping google.com PING google.com (126.96.36.199): 56 data bytes 64 bytes from 188.8.131.52: icmp_seq=0 ttl=114 time=44.4 ms 64 bytes from 184.108.40.206: icmp_seq=1 ttl=114 time=37.5 ms 64 bytes from 220.127.116.11: icmp_seq=2 ttl=114 time=47.0 ms 64 bytes from 18.104.22.168: icmp_seq=3 ttl=114 time=58.7 ms 64 bytes from 22.214.171.124: icmp_seq=4 ttl=114 time=48.7 ms --- google.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 37.5/47.2/58.7 ms
If the domain name resolution is successful, the IP address corresponding to the domain name will be displayed as shown above.
Make FortiGate act as a DNS server
Set with GUI
Open the System > Feature Visibility screen and enable DNS Database.
Click Network > DNS Servers. Click Create New in the DNS Service on Interface column.
Set each item on the screen below.
- Interface: Specifies the interface that accepts DNS queries.
- Recursive: Shadow DNS database and forward.
- None-Recursive: Public DNS database only.
- Forward to System DNS: Forward only.
Click OK and confirm that the settings have been added.
Add a DNS database
You can add a DNS database (zone information).
Click Network > DNS Servers. Click Create New in the DNS Database column.
The following setting screen is displayed, so set each item.
- Type: Primary
- View: Shadow or Public
- Authoritative: Disable if necessary (default is enabled)
You can add a DNS record by clicking Create New in the DNS Entries field.
When you come to the setting of each item, click OK at the bottom of the screen.
Confirm that the settings have been added.
As an operation test, execute the nslookup command on a Windows client that connects to FortiGate.
C:\WINDOWS\system32>nslookup hogeHost.hogedomain.com 10.10.10.1 サーバー: UnKnown Address: 10.10.10.1 権限のない回答: 名前: hogeHost.hogedomain.com Address: 10.20.30.40
Domain name resolution is successful.
Set with CLI
The CLI config for DNS Service on Interface in the GUI is
config system dns-server.
FortiGate-60E # show full-configuration system dns-server config system dns-server edit "dmz" set mode recursive set dnsfilter-profile '' set doh disable next end
The CLI config for DNS Database in the GUI is
config system dns-database.
FortiGate-60E # show full-configuration system dns-database config system dns-database edit "HogeZone" set status enable set domain "hogedomain.com" set type primary set view shadow set ttl 86400 set authoritative disable unset forwarder set source-ip 0.0.0.0 config dns-entry edit 1 set status enable set type A set ttl 0 set hostname "hogehost" set ip 10.20.30.40 next end unset allow-transfer set primary-name "hogeDNS" set contact "firstname.lastname@example.org" next end