This article will explain how to use a CNAME record in a DNS zone to query the real server public IP of another domain instead of trying to query an A record in the same DNS zone.

CNAME Record:

In this example fortinet.example.com is an alias for example.com and fortinet.com is the canonical domain. See this article for more information.

In this example, FortiGate is listening on port10 for DNS queries. The DNS zone named example.com is configured with the domain 'example.com'. The CNAME record is for host 'fortinet' and the desire is this to query the canonical domain 'fortinet.com'. The host using nslookup is configured to use the FortiGate's port10 IP 10.182.0.1 as its DNS server.

CLI configuration:

config system dns-server

    edit "port10"

    next

end

config system dns-database

    edit "example.com"

        set domain "example.com"

        config dns-entry

            edit 4

                set type CNAME

                set hostname "fortinet"

                set canonical-name "fortinet.com"

            next

        end

    next

end

The result is that no IP address is resolved because the system is trying to find an A record for 'fortinet.com.example.com'. Because no A record exists for 'fortinet.com.example.com' in the DNS entries, no IP address is resolved.

nslookup results:

To change the behavior so that the IP address of the real domain is resolved, in the example fortinet.com, add a '.' to the end of the canonical-name, 'fortinet.com'.

CLI configuration:

config system dns-server

    edit "port10"

    next

end

config system dns-database

    edit "example.com"

        set domain "example.com"

        config dns-entry

            edit 4

                set type CNAME

                set hostname "fortinet"

                set canonical-name "fortinet.com."

            next

        end

    next

end

What adding the '.' does is tell the CNAME record to start the query with the root DNS server, not within the 'example.com' domain, causing the query to be forwarded to the system DNS of the FortiGate for a recursive query.  The result is that the IP address of the real domain is resolved.

The FortiGate uses the FortiGuard DNS servers by default but different servers can be configured.

nslookup results:

Use the sniffer to verify the DNS query was forwarded from FortiGate to the configured DNS servers of the FortiGate with the following sniffer command, where x.x.x.x is the configured server:

diag sniff pack any 'host x.x.x.x and port 53' 4 0 l

For example, using the FortiGuard DNS servers, it can be discovered that the FortiGate's port1 IP address 10.9.10.28 sends a DNS query to 96.45.45.45 on port53.

diag sniff pack any '(host 96.45.45.45 or host 96.45.46.46) and port 53' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[(host 96.45.45.45 or host 96.45.46.46) and port 53]
2024-05-03 16:14:20.840759 port1 out 10.9.10.28.1954 -> 96.45.45.45.53: udp 41
2024-05-03 16:14:20.846728 port1 in 96.45.45.45.53 -> 10.9.10.28.1954: udp 121

Related article:

Technical Tip: Different options of configuring DNS server on FortiGate.