Tag Archives: DNS services FortiGate

DNS services

DNS services

A DNS server is a public service that converts symbolic node names to IP addresses. A Domain Name System (DNS) server implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.

The FortiGate unit includes default DNS server addresses. However, these should be changed to those provided by your Internet Service Provider. The defaults are DNS proxies and are not as reliable as those from your ISP.

Within FortiOS, there are two DNS configuration options; each provide a specific service, and can work together to provide a complete DNS solution.

 

DNS settings

Basic DNS queries are configured on interfaces that connect to the Internet. When a web site is requested, for example, the FortiGate unit will look to the configured DNS servers to provide the IP address to know which server to contact to complete the transaction.

DNS server addresses are configured by going to System > Network > DNS. Here you specify the DNS server addresses. Typically, these addresses are supplied by your ISP. An additional option is available if you have local Microsoft domains on the network, by entering a domain name in the Local Domain Name field.

In a situation where all three fields are configured, the FortiGate unit will first look to the local domain. If no match is found, a request is sent to the external DNS servers.

If virtual domains are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.

 

Additional DNS CLI configuration

Further options are available from the CLI with the command config system dns. Within this command you can set the following commands:

  • dns-cache-limit – enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.
  • dns-cache-ttl – enables you to set how long entries remain in the cache in seconds, between 60 and 86,400 (24 hours).
  • cache-notfound-responses – when enabled, any DNS requests that are returned with NOTFOUND can be stored in the cache.
  • source-ip – enables you to define a dedicated IP address for communications with the DNS server.

 

DNS server

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (master DNS server), or use it as a jumping point, where the server refers to an outside source (slave DNS server). A local master DNS server works similarly to the DNS server addresses configured in System > Network > DNS, but all entries must be added manually. This enables you to add a local DNS server to include specific URL/IP address combinations.

 

The DNS server options are not visible in the web-based manager by default. To enable the server, go to Syste> Config > Featuresand select DNS Database.

While a master DNS server is an easy method of including regularly used addresses to save on going to an outside DNS server, it is not recommended to make it the authoritative DNS server. IP addresses may change, and maintaining any type of list can quickly become labor-intensive.

A FortiGate master DNS server is best set for local services. For example, if your company has a web server on the DMZ that is accessed by internal employees as well as external users, such as customers or remote users. In this situation, the internal users when accessing the site would send a request for website.example.com, that would go out to the DNS server on the web, to return an IP address or virtual IP. With an internal DNS, the same site request is resolved internally to the internal web server IP address, minimizing inbound/outbound traffic and access time.

As a slave, DNS server, the FortiGate server refers to an external or alternate source as way to obtain the url/IP combination. This useful if there is a master DNS server for a large company where a list is maintained. Satellite offices can then connect to the master DNS server to obtain the correct addressing.

The DNS server entries does not allow CNAME entries, as per RFC 1912, section 2.4.

 

To configure a master DNS server – web-based manager

1. Go to System > Network > DNS Server, and select Create New for DNS Database.

2. Select the Type of Master.

3. Select the View as Shadow.

4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.

5. Enter the DNS Zone, for example, WebServer.

6. Enter the domain name for the zone, for example com.

7. Enter the hostname of the DNS server, for example, Corporate.

8. Enter the contact address for the administrator, for example, admin@example.com.

9. Set Authoritative to Disable.

10. Select OK.

11. Enter the DNS entries for the server by selecting Create New.

12. Select the Type, for example, Address (A).

13. Enter the Hostname, for example example.com.

14. Enter the remaining information, which varies depending on the Type selected.

15. Select OK.

 

To configure a DNS server – CLI

config system dns-database edit WebServer

set domain example.com set type master

set view shadow set ttl 86400

set primary-name corporate set contact admin@exmple.com set authoritative disable

config dns-entry edit 1

set hostname web.example.com set type A

set ip 192.168.21.12 set status enable

end end

 

Recursive DNS

You can set an option to ensure these types of DNS server is not the authoritative server. When configured, the FortiGate unit will check its internal DNS server (Master or Slave). If the request cannot be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have the FortiGate unit look to an internal server should the Master or Slave not fulfill the request by using the CLI commands:

config system dns-database edit example.com

set view shadow

end

 

For this behavior to work completely, for the external port, you must set the DNS query for the external interface to be recursive. This option is configured in the CLI only.

 

To set the DNS query

config system dns-server edit wan1

end

set mode recursive