Home

FortiGate DNS Server Configuration: Complete Guide for Network Administrators

.

FortiGate firewalls offer robust DNS server capabilities that extend far beyond basic firewall functions. With the ability to operate as primary, secondary, recursive, or forwarding DNS servers, FortiGate devices provide organizations with comprehensive name resolution services integrated directly into their security infrastructure. This integration allows for enhanced network performance, improved security through DNS filtering, and simplified network management by consolidating services.

The FortiGate DNS server functionality supports both traditional DNS and modern secure protocols including DNS over TLS (DoT), DNS over HTTPS (DoH), and the newer DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3). These security-focused features ensure that DNS queries remain encrypted and protected from interception, addressing growing concerns about privacy and data security in enterprise networks.

Step-by-Step Configuration Guide

Enabling DNS Server Functionality

By default, DNS server options are not visible in the FortiGate GUI, requiring administrators to first enable this feature:

  1. Navigate to System > Feature Visibility
  2. Locate and enable DNS Database in the Additional Features section
  3. Click Apply to save changes

Once enabled, the DNS configuration options become available under Network > DNS Servers, where you can begin setting up your DNS services.

Configuring DNS Service on Interfaces

The interface configuration determines where and how your FortiGate will respond to DNS queries:

  • Interface Selection: Choose which network interface will host the DNS service (typically LAN/internal interfaces)
  • Mode Configuration: Four operational modes are available:
    • Recursive: Checks local database first, then forwards unresolved queries to system DNS servers
    • Non-Recursive: Restricts queries to the local Public DNS database only
    • Forward to System DNS: Bypasses local database completely, forwarding all queries upstream
    • Resolver: FortiGate directly queries root and authoritative names servers (available in specific configurations)

According to practical implementation guides, the recursive mode is most commonly used as it "first checks for the requested record in the shadow DNS database. If the record is not found locally, the query is then forwarded to the system's DNS server for further lookup."

Building the DNS Database

FortiGate organizes DNS records into databases with specific characteristics:

  • Zone Types:
    • Primary: Manually maintained entries for direct management
    • Secondary: Imported from other DNS zones for redundancy and load balancing
  • Zone Views:
    • Shadow: For internal clients resolving queries through the FortiGate's recursive DNS server
    • Public: For external clients only, containing publicly accessible service records
    • Proxy: Specifically designed for explicit proxy configurations

When creating a primary zone, administrators are advised to disable the Authoritative option as "making it authoritative is not recommended, because IP addresses can change, and maintaining the list can become labor intensive."

Creating DNS Entries

The DNS database supports multiple record types essential for comprehensive name resolution:

Record Type Purpose Common Use Case
Address (A) Maps hostname to IPv4 address Web servers, internal applications
Name Server (NS) Identifies authoritative DNS servers Domain delegation
Canonical Name (CNAME) Creates aliases for hosts Service aliases, simplified access
Mail Exchange (MX) Directs email to mail servers Email infrastructure
IPv6 Address (AAAA) Maps hostname to IPv6 address IPv6-enabled services
Pointer (PTR) Maps IP addresses to hostnames Reverse DNS lookups

Each entry includes configurable Time-To-Live (TTL) values, allowing administrators to balance between DNS responsiveness and reduced query loads.

Advanced DNS Features and Security

Secure DNS Protocols

FortiGate supports modern DNS encryption standards that enhance privacy and security:

  • DNS over HTTPS (DoH): Encapsulates DNS queries within HTTPS sessions
  • DNS over TLS (DoT): Secures DNS communication through TLS encryption
  • DNS over QUIC (DoQ): Leverages QUIC protocol for reduced latency and improved security
  • DNS over HTTP3 (DoH3): Utilizes HTTP/3 for DNS resolution

These protocols are "supported in proxy mode inspection for transparent and local-in explicit modes," providing flexible deployment options for different network architectures.

DNS Filtering Integration

One of the most powerful features of FortiGate DNS is its integration with DNS filtering profiles. This allows organizations to:

  • Block malicious domains before connections are established
  • Enforce content policies based on domain categorization
  • Monitor DNS query patterns for security analytics
  • Prevent data exfiltration through DNS tunneling detection

The DNS filter option is available for all modes except Non-Recursive, creating a layered security approach that complements traditional firewall rules.

Command Line Configuration

For administrators preferring CLI access or needing advanced configurations, FortiGate provides comprehensive command-line options:

# Configure DNS server settings config system dns-server     edit "primary-dns"         set mode recursive         set doh enable         set doq enable     next end  # Configure DNS database and entries   config system dns-database     edit "internal-zone"         set type primary         set domain "internal.company.com"         set view shadow         set authoritative disable         config dns-entry             edit 1                 set type A                 set hostname "webserver"                 set ip 192.168.1.10             next         end     next end

The CLI reference contains a comprehensive list of commands for advanced configurations not available through the GUI, such as adding more than two DNS forwarder addresses.

Practical Implementation Considerations

Recursive vs. Forwarding Configurations

The choice between recursive and forwarding configurations depends on specific network requirements:

  • Recursive DNS is ideal when you need to maintain local records for internal resources while still resolving external queries. As described in implementation guides, this mode ensures "a comprehensive search for the requested record, utilizing both local and system DNS resources."

  • Forward to System DNS mode is useful when the FortiGate should not perform resolution itself but rather pass queries to dedicated DNS servers. This addresses scenarios like the one described in community discussions where users want "to forward my hosts' DNS queries to dynamically obtained DNS servers" from their ISP.

Dynamic DNS Considerations

A common challenge identified in community forums involves using dynamically obtained DNS servers. When an ISP provides DNS servers via DHCP, administrators can configure FortiGate to use these by:

  1. Setting the DNS mode to "Forward to System DNS" on client-facing interfaces
  2. Ensuring the FortiGate itself uses dynamically obtained DNS servers in its system settings
  3. Verifying that client queries are properly forwarded through diagnostic tools

This approach allows organizations to leverage their ISP's DNS infrastructure while maintaining the security and filtering benefits of FortiGate's DNS proxy functionality.

Frequently Asked Questions

How do I enable DNS server features in FortiGate?

DNS server options are hidden by default. Go to System > Feature Visibility, enable DNS Database in the Additional Features section, and click Apply. The DNS configuration will then appear under Network > DNS Servers.

What's the difference between recursive and non-recursive DNS modes?

Recursive mode checks the local DNS database first, then forwards unresolved queries to upstream DNS servers. Non-recursive mode only checks the local Public DNS database and does not forward unresolved queries, making it suitable for serving only known internal resources.

How can I use FortiGate with dynamically obtained DNS servers from my ISP?

Configure the interface DNS mode as "Forward to System DNS" and ensure your FortiGate's system DNS settings are set to use dynamically obtained servers. This forwards all client queries to your ISP's DNS servers while still allowing FortiGate to apply DNS filtering policies.

Should I enable the Authoritative option for my DNS zone?

No, Fortinet specifically recommends against enabling Authoritative for local DNS zones because IP addresses frequently change in dynamic environments, and maintaining an authoritative zone manually becomes labor-intensive. Disable this option for most practical implementations.

Can FortiGate DNS server use encrypted DNS protocols?

Yes, FortiGate supports DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ), and DNS over HTTP3 (DoH3). These can be enabled per interface to encrypt DNS traffic between clients and the FortiGate, though resolution beyond the FortiGate may use standard DNS unless configured otherwise.

Conclusion

FortiGate's integrated DNS server capabilities provide organizations with a powerful tool for managing name resolution while enhancing network security. By understanding the different operational modes, zone types, and security features, administrators can implement DNS services tailored to their specific requirements—whether providing local resolution for internal resources, forwarding queries to external servers, or implementing secure DNS with modern encryption protocols.

The key to successful implementation lies in carefully planning your DNS architecture, selecting appropriate modes for each interface, and leveraging FortiGate's security integrations like DNS filtering. With proper configuration, FortiGate can serve as both a security gateway and efficient DNS resolver, simplifying network infrastructure while providing robust protection against DNS-based threats.