Use FortiGate as a DNS server

Use FortiGate as a DNS server

You can configure and use FortiGate as a DNS server in your network. When you enable DNS Service on a specific interface, FortiGate will listen for DNS Service on that interface.

Depending on the configuration, DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or Forward to System DNS (server). For details on how to configure DNS Service on FortiGate, see the FortiGate System Configuration Guide.

You can apply a DNS Filter profile to Recursive Mode and Forward to System DNS Mode. This is the same as FortiGate working as a transparent DNS Proxy for DNS relay traffic.

To configure DNS Service on FortiGate using GUI:

  1. Go to Network > DNS Servers.
  2. In the DNS Service on Interface, click Create New and select an Interface.

The Recursive and Non-Recursive Mode is available only after you configure the DNS database.

To configure DNS Service on FortiGate using CLI:

config system dns-server edit “port10”  <<<==== Enable DNS Serive on Interface set mode forward-only

set dnsfilter-profile “demo”  <<<==== apply DNS Filter Profile for the service

next

end

Sample configuration

In this example, FortiGate port 10 is enabled as a DNS Service with the DNS Filter profile “demo”. Suppose port 10 has an IP address 10.1.100.5 and DNS Filter profile “demo” is set to block category 52 (Information Technology), then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query. For example:

# dig @10.1.100.5 www.fortinet.com <<<====Specify FortiGate interface address as DNS Server

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52809 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.fortinet.com.           IN     A

;; ANSWER SECTION:

www.fortinet.com.      60     IN    A     208.91.112.55  <<<==== DNS Filter profile will filter the relay DNS traffic based on profile configuration. It blocked with redirect portal IP

;; Received 50 B

;; Time 2019-04-08 14:36:34 PDT

;; From 10.1.100.5@53(UDP) in 13.6 ms

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.