| Description |
This article describes that there are multiple ways of using the DNS in the FortiGate environment. It is possible to configure the FortiGate to access a public DNS for resolution. In an enterprise environment, most of the organizations do have internal DNS servers. |
| Scope | FortiGate. |
| Solution |
There are some steps to configure a DNS server and multiple ways of configuring its attributes.
Step 1: Enable DNS Database under system -> Feature visibility:
Step 2: Under Network -> DNS Servers, Select the interface where the internal DNS server is accessible or the DNS service required devices are located:
Once the interface is selected, it is possible to select the mode as Recursive, Non-Recursive, and Forward to system DNS:
Recursive : In the next step, enter different DNS entries under the DNS Database. When selected Recursive as the mode, a DNS request will try to resolve using the entries in the DNS Database on the FortiGate. If the entry is not available it will be redirected to the configured DNS server. Example: If the DNS is configured to an internal DNS server and if the NDS request entry is not available in the FortiGate DNS database, the request will be sent to the internal DNS server.
Non-Recursive : When a DNS request comes by, only the FortiGate DNS Database will be looked up for the resolution. This option is not recommended as it is possible to use to resolve the configured DNS entries on the FortiGate DNS Database. In this option, FortiGate will act as the sole DNS server. This option is viable only for special cases where the users need to resolve only to access internal resources where the DNS entries are configured on the FortiGate DNS database.
Forward to system DNS : When the Mode is selected for this option FortiGate will act as DNS relay instead of DNS server. All DNS queries will be forwarded to the configured DNS which is under Network --> DNS.
The other 2 parameters under the DNS service on the interface are as below:
DNS Filter : If a DNS filter is configured under the security profile, it is possible to apply it to filter DNS queries and take actions based on the DNS filter.
DNS over HTTPS : This option can be used to encrypt the DNS communication for security purposes such as to mitigate man-in-the-middle attacks etc.
Step 3: Configure DNS Database. Different entries are entered based on the network and domain names.
When creating a new entry on the DNS Database there are 2 options to select for type on DNS Zone:
Primary: For a specific entry, once the type as the primary is selected, the DNS query will be referred to this entry first.
FortiGate configuration is as follows:
Secondary: The entry on the DNS Database on the FortiGate will be used as the secondary option. Once a DNS query takes place it will go to the configured DNS for resolution and for some reason if the primary is not available, it will refer to the secondary.
On FortiGate, the entry is configured as below:
When configuring as a secondary on the main DNS server, it is necessary to configure what is the secondary. As an example refer to the below from the Windows DNS server:
Step 4: Configuring the Interface to be used as the DNS for the users:
Relevant configs in CLI:
config system dns-server
config system dns-database edit "test"
For troubleshooting DNS issues. To debug the DNS proxy:
Diagnose debug application dnsproxy -1 diagnose debug
Related articles: Technical Note: FortiGate Troubleshooting DNS commands |
