Home

Mastering FortiGate as a DNS Server: A Comprehensive Guide to Configuration and Best Practices

.

In modern network architectures, the Domain Name System (DNS) is a critical component for both user productivity and application functionality. For organizations leveraging Fortinet technology, the FortiGate firewall offers a robust, built-in DNS server capability that can simplify infrastructure, enhance redundancy, and improve security. This article synthesizes expert knowledge and community insights to provide a complete guide on configuring and optimizing a FortiGate as a DNS server.

Understanding the FortiGate DNS Server Role

Traditionally, a dedicated DNS server or an ISP’s DNS handles name resolution. However, enabling the DNS service on a FortiGate transforms the firewall into a DNS proxy or server for your network. This is particularly useful for branch offices, segmented networks, or scenarios where you want to enforce DNS-level security policies without deploying additional hardware.

According to Fortinet documentation, the DNS service on a FortiGate can operate in three primary modes:

  1. Recursive Mode: The FortiGate queries external DNS servers directly to resolve a name.
  2. Non-Recursive Mode: The FortiGate only answers queries for zones for which it is authoritative (requires a configured DNS database).
  3. Forward to System DNS (Forwarding Mode): The FortiGate acts as a proxy, forwarding client queries to the system-level DNS servers (e.g., FortiGuard or custom servers) and returning the response.

Why Use a FortiGate as a DNS Server?

1. Enhanced Resilience and Reduced Single Points of Failure

A common challenge, highlighted by network professionals managing distributed sites, is the dependency on a central DNS server. If the primary WAN link or VPN tunnel to a central data center fails, remote offices can lose DNS resolution, effectively breaking internet access even if backup links exist.

By configuring the local FortiGate as a DNS server, you create a resilient local resolver. It can intelligently forward internal domain queries (e.g., company.local) to internal servers while handling external queries independently, ensuring internet access remains available during WAN outages.

2. Simplified Client Configuration

Using the FortiGate as a DNS server allows you to push the FortiGate's interface IP as the primary DNS server via DHCP. This centralizes DNS configuration and eliminates the need to manage DNS server addresses on individual clients or remote DHCP servers.

3. Integration with Security Fabric

A key advantage of using the FortiGate is the ability to apply DNS Filter profiles directly to the DNS service. This means you can block malicious domains, restrict access to inappropriate content, and prevent data exfiltration over DNS—all from the same device handling your firewall policies.

Step-by-Step Configuration Guide

The configuration process involves enabling the DNS service on a specific interface and defining its operational mode.

Prerequisites

  • Administrative access to the FortiGate (GUI or CLI).
  • An internal network interface (e.g., internal, LAN, port10) with a static IP address configured.
  • A defined DNS database if you plan to use Non-Recursive mode.

Method 1: GUI Configuration (FortiOS 6.x and later)

The primary location for this setting has remained consistent in modern FortiOS versions.

  1. Navigate: Go to Network > DNS Servers.
  2. Create New: Click Create New under the "DNS Service on Interface" table.
  3. Select Interface: Choose the interface that will receive DNS queries from your clients (e.g., lan, port2).
  4. Choose Mode: Select the desired mode from the dropdown.
    • Forward to System DNS: This is the most common and flexible mode. It forwards queries to the DNS servers configured under Network > DNS (System DNS).
    • Recursive: The FortiGate will attempt to resolve queries itself by querying root servers.
    • Non-recursive: The FortiGate will only answer queries for zones you have manually added to its DNS database.
  5. Apply DNS Filter (Optional but Recommended): If your mode supports it, select a DNS Filter profile to enforce web filtering and security policies at the DNS level.
  6. OK: Save the configuration.

Method 2: CLI Configuration

The CLI provides more granular control and is essential for scripting or bulk configurations, as discussed in community forums for managing multiple units.

To enable the DNS service on an interface named port10 in forwarding mode:

config system dns-server     edit "port10"         set mode forward-only         set dnsfilter-profile "default"  (Optional: Apply a DNS filter)     next end

To set the interface to recursive mode:

config system dns-server     edit "port10"         set mode recursive     next end

Advanced Use Cases and Best Practices

Use Case: Split DNS for Internal and External Resources

A common requirement, as seen in a Reddit discussion from a network engineer managing 60+ sites, is to route internal domain queries to specific corporate servers while sending all other queries to public resolvers like Google DNS (8.8.8.8).

This is achieved through a combination of settings:

  1. System DNS: Set your public/upstream DNS servers (e.g., 8.8.8.8, 8.8.4.4) under Network > DNS. This handles all non-authoritative queries.
  2. DNS Database: To handle internal zones (e.g., company.local), you must configure a DNS database.
    • Go to Network > DNS Database.
    • Create a new database. Choose Primary (authoritative) or Forwarder.
    • If using Forwarder, you can specify the IP address of your internal AWS DNS servers for the company.local domain. The FortiGate will then forward all queries ending in .local to those specific servers.
    • The DNS Service on the interface must be set to Recursive or Non-recursive for the database to be consulted. In this scenario, the FortiGate acts recursively: it checks its local database for .local and forwards them accordingly; for other domains, it uses its system DNS to perform standard recursion.

Best Practice: Applying Security Policies

Never run a DNS forwarder without security controls. By attaching a DNS Filter profile to your DNS service, you gain the ability to:

  • Block known malicious sites.
  • Categorize and restrict content.
  • Monitor DNS traffic for suspicious activity.

Best Practice: Verification and Testing

After configuration, always test from a client PC. Force the client to use the FortiGate's IP address for DNS and use standard tools:

nslookup www.fortinet.com <FortiGate_Interface_IP> dig @<FortiGate_Interface_IP> www.fortinet.com

Check the output to ensure the response comes from the FortiGate and that any DNS filtering policies are being applied as expected.

Frequently Asked Questions (FAQ)

What are the main modes of the FortiGate DNS service, and when should I use each?

The three main modes are:

  • Forward to System DNS: Best for most scenarios. The FortiGate acts as a proxy, forwarding queries to the upstream servers defined in the system DNS settings. It's simple and integrates with DNS filtering.
  • Recursive: The FortiGate performs full DNS recursion itself. This is useful if you want the FortiGate to be independent of upstream providers, but it can place more load on the device.
  • Non-recursive: Use this only if you are hosting authoritative DNS zones directly on the FortiGate and do not want it to resolve other domains.

Can the FortiGate DNS server resolve both internal private domains and public domains?

Yes. This is known as Split DNS. You configure a DNS Database for your private domain(s) pointing to your internal DNS servers. Then, set the DNS service mode to Recursive. The FortiGate will check its database first for private domains and use its system DNS (public resolvers) for everything else.

What happens to DNS resolution if my internet link goes down when using the FortiGate as a DNS server?

If your FortiGate is configured in Forward to System DNS mode and your internet link fails, the FortiGate cannot reach the upstream DNS servers. Consequently, clients will not be able to resolve external domains. However, if you have configured a DNS database for internal zones, and your internal DNS servers are reachable via a backup link or directly connected network, resolution for those internal names will continue to work. This is a key resilience strategy for branch offices.

How do I apply web filtering to DNS requests when using the DNS server feature?

When you configure the DNS service on an interface (via GUI or CLI), you will see an option to select a DNS Filter profile. By attaching a profile here, all DNS requests handled by the FortiGate for that interface will be inspected and filtered according to that profile's settings, blocking malicious or unwanted domains.

My clients are getting DNS from a central DHCP server. Can I still use the FortiGate as a DNS server?

Yes. You have two options:

  1. Change the DHCP options on your central server to hand out the FortiGate's interface IP as the primary DNS server.
  2. Configure the FortiGate's own DHCP server to override the DNS settings. For clients that get their IP from the FortiGate, it can automatically assign itself as the DNS server.

Does using the FortiGate as a DNS server impact its firewall performance?

Generally, the impact is minimal. The DNS service is a lightweight process. However, enabling full recursion or very high rates of DNS queries could consume some CPU and memory. For most small to medium-sized businesses, this is not a concern. Applying DNS filtering offloads some categorization to FortiGuard, which is efficient.

Conclusion

Configuring a FortiGate as a DNS server is a powerful strategy to enhance network resilience, simplify client management, and centralize security enforcement. By moving DNS resolution to the network edge, organizations can ensure business continuity during WAN disruptions and gain granular control over web traffic. Whether you manage a single unit or dozens worldwide, mastering this feature is a valuable step toward a more robust and secure network infrastructure.