Technical Tip: Adding static DNS entry on FortiGate with DHCP assignment
Description
This article describes how to add static DNS entries to resolve domains that are hosted internally and have FortiGate to act as a DHCP and DNS server to provide range of IPs to workstations.
In this scenario, there is an internally hosted website that users need to resolve its domain name to a local IP when trying to access the website. It is possible to configure FortiGate as a DNS server and add a static DNS entry in the DNS server database.
Scope
FortiGate.
Solution
Make sure that in Feature visibility, DNS Database is enabled as shown below. Go to System -> Feature Visibility -> Additional Features -> DNS Database.
Configure the DNS database server with static DNS entries:
Create a DNS Service on the Interface where the users send DNS queries, and the mode is 'Recursive':
Example configuration in the CLI:
config system dns-server
edit "port2"
edit "port2"
set mode recursive
next
end
next
end
Create the DNS Database, and within the DNS database to create the DNS static entry as shown below:
Example configuration in the CLI:
config system dns-database
edit "test"
set domain "example.com"
set authoritative disable
config dns-entry
edit 1
set hostname "test"
set ip 1.1.1.1
next
end
set contact "hostmaster"
next
end
edit "test"
set domain "example.com"
set authoritative disable
config dns-entry
edit 1
set hostname "test"
set ip 1.1.1.1
next
end
set contact "hostmaster"
next
end
Once 'OK' is selected, save the settings in DNS, and create a DHCP Server configuration under port2.
config system dhcp server
edit 5
set default-gateway 172.31.131.2
set netmask 255.255.240.0
set interface "port2"
config ip-range
edit 1
set start-ip 172.31.128.2
set end-ip 172.31.143.254
next
end
set dns-server1 172.31.131.2
next
end
set netmask 255.255.240.0
set interface "port2"
config ip-range
edit 1
set start-ip 172.31.128.2
set end-ip 172.31.143.254
next
end
set dns-server1 172.31.131.2
next
end
The workstations behind this interface will get IP from this DHCP range, and also with DNS IP which will resolve the static DNS entry in the DNS database as below:
When trying to resolve the domain test.example.com:
It is possible to resolve the domain with a private IP from FortiGate.