Configuring FortiGate DNS Server for Optimal Network Performance

Published on: 12-08-2024 By Shishipal Gautam

Introduction

Configuring a DNS server on your FortiGate device can greatly enhance the network efficiency and security. Whether you’re managing a small business or a large enterprise, understanding how to set up FortiGate as a DNS server is crucial. This guide walks you through the necessary steps to configure your FortiGate device as both a primary and secondary DNS server, and how to leverage advanced features like DNS over HTTPS.

Understanding FortiGate DNS Server Roles

Before diving into the configuration steps, it's important to understand the roles a FortiGate DNS server can play:

  • Primary DNS Server: Manually manage all URL and IP address combinations in-house, reducing traffic and access time while minimizing reliance on external DNS servers.
  • Secondary DNS Server: Acts as a backup by referencing an external primary DNS server, ensuring redundancy and load balancing.

Steps to Configure the FortiGate as a DNS Server

Let's explore the detailed steps to set up FortiGate as a DNS server via the GUI and CLI.

Configuring FortiGate DNS Server through GUI

Enable DNS Server Options:

  • Go to System > Feature Visibility.
  • Enable DNS Database in the Additional Features section and click Apply.

Set up DNS Services:

  • Navigate to Network > DNS Servers and enable DNS services on an interface.
  • In the DNS Service on Interface table, click Create New.
  • Configure the following settings:
    • Interface: Choose the interface to enable DNS service on.
    • Mode: Select from Recursive, Non-Recursive, or Forward to System DNS.
    • DNS Filter: Apply a DNS filter profile (not available in Non-Recursive mode).
    • DNS over HTTPS: Activate this for secure DNS resolution.
  • Click OK.

Logging DNS Entries:

  • In the DNS Database table, click Create New to build the DNS database.
  • Configure the Type, View, Zone, Domain Name, and other settings as needed, ensuring you choose whether it’s a Primary or Secondary zone.

Configuring FortiGate DNS Server through CLI

If you prefer using CLI for your FortiGate setup, follow these steps:

Configure DNS Servers:

config system dns-server
edit <name>
set dnsfilter-profile {string}
set doh {enable | disable}
set mode {recursive | non-recursive | forward-only}
next
end

Set Up DNS Database:

config system dns-database
edit <name>
set authoritative {enable | disable}
set contact {string}
set domain {string}
set forwarder {user}
set primary-name {string}
set ttl {integer}
set type {primary | secondary}
set view {shadow | public | shadow-ztna | proxy}
config dns-entry
edit <id>
set status {enable | disable}
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl {integer}
set ip {ipv4-address-any}
set ipv6 {ipv6-address}
set hostname {string}
set canonical-name {string}
next
end
next
end

Conclusion

Employing FortiGate as a DNS server allows for significant improvements in network management by reducing reliance on external DNS services and enhancing speed along with security via protocols like DNS over HTTPS. Follow the steps detailed in this guide to optimize your FortiGate’s capabilities, ensuring your network operates smoothly and efficiently.

For further detailed configurations, visit the official FortiGate documentation.