DNS translation feature configuration example

DNS translation translates IP addresses in packets sent by a DNS server from the internal network to the external network. Use DNS translation if you have a DNS server on your internal network that users can access on the external network to find the IP addresses of servers on your internal network.

Note: This is usually a DNS server feature.

• All FortiGate units.

Configuring the DNS translation
on your FortiGate unit

1. Configure the DNS helper using the CLI. Enter the following commands:

   config sys session-helper
       edit 15
             set name dns_udp
             set port 53
             set protocol 17
             next
       edit 16
             set name dns_tcp
             set port 53
             set protocol 6
             next
       end

2. Configure one virtual IP for the DNS.
3. Configure one virtual IP for each internal server.
4. Configure a DNS translation rule for each internal server:
   

   config firewall dnstranslation
     edit 1 
     set dst'external address of the FortiGate'
     set netmask 255.255.255.255 
     set src 'internal address of the server'
     next 
   end

Configuration Example

Step 1: Session-Helper

config sys session-helper
    edit 15
        set name dns_udp
        set port 53
        set protocol 17
        next
    edit 16
        set name dns_tcp
        set port 53
        set protocol 6
        next
    end

Step 2: VIP for the DNS server

external IP 172.31.224.203
port 53
internal IP 10.100.0.3
port 53

Session 3: VIP for the internal web server

external IP 172.31.224.203
port 80
internal IP 10.100.0.23
port 80

Step 4: DNS translation rule for internal web server

config firewall dsntranslation
    edit 1
        set dst 172.31.224.203
        set netmask 255.255.255.255
        set src 10.100.0.23
        next
    end