Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
snadgir
Staff
Staff

Created on ‎01-01-2025 10:36 PM Edited on ‎10-15-2025 08:16 AM By Moderator

Article Id 367591

Technical Tip: How to configure DNS database for a locally hosted website

Description

 

This article describes how to create a DNS database for a website that is hosted in the local network.

 

Scope

 

FortiGate.

 

Solution

 

Local DNS servers can be created for a network. Depending on the specific requirements, entries can either be manually managed (via a primary DNS server) or configured to reference an external source (as a secondary DNS server).

 

A local primary DNS server requires the manual addition of all URL and IP address combinations. 

 

Configuration steps from the GUI:

 

  1. Go to System -> Feature Visibility and enable DNS Database under additional features.


image (27).png

 

  1. Navigate to Network -> DNS Servers and create a New DNS Database.

 

image (29).png

 

When configuring the DNS view, set it to 'Shadow' to ensure access is limited to internal users. Select the appropriate DNS zone and specify its domain name, along with the DNS server hostname and the administrator’s contact email address. Be sure to disable the Authoritative option, as IP addresses may change frequently and maintaining them manually can be time-consuming. Choosing the 'Shadow' type instead of 'Public' is essential for FortiGate to successfully perform nslookup on the internal database.

 

  1.  Add DNS entries:

 

image (30).png

 

In the screenshot above, the FQDN is considered based on the mentioned hostname along with the domain name.

 

The DNS Entry also helps the FortiGate locally resolve FQDN (mywebsite3.com) to an IP address (192.168.100.10).

Verify the FQDN resolution by initiating pings on FortiGate.

 

exe ping mywebsite3.com
PING mywebsite3.com (192.168.100.10): 56 data bytes
64 bytes from 192.168.100.10: icmp_seq=0 ttl=64 time=0.6 ms
64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.5 ms
64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.5 ms
64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.4 ms
64 bytes from 192.168.100.10: icmp_seq=4 ttl=64 time=0.4 ms

--- mywebsite3.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.6 ms

 

  1. Create a DNS Service on the interface:

   image (31).png

 

In the above image, port1 is chosen as the device from where the IP address that needs to be resolved are located behind it.

   image (33).png

 

  1. Set the DNS server as the default gateway of the firewall. In the above scenario, it is set as 172.16.32.1 (IP address of port1):

                                  image (32).png

 

After the DNS server is mentioned, to test, perform an nslookup of the FQDN, which would resolve to the internal IP address hosted in the LAN network.

 

image (34).png

 

Related articles:

Technical Tip: DNS Database view type Shadow and Public for explicit proxy 

Troubleshooting Tip: Internal DNS queries are not resolved when FortiGate is used as a DNS server 

1566
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.