FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 272158

This article describes how to setup custom DNS hosted zone on AWS and use AWS DNS on FGT to resolve hostnames.

Scope vvikash_0-1693942949847.png


  • FortiGate:

Port1: External (Public) interface that is connected to Internet.

Port2: Internal Interface that is connected to the Private network.

Two subnets are needed for the Lab (AZ can be random).


  • Window server

Window servers are placed in private subnets respectively.

Two route tables are needed for the Lab. (One for public as well as one for private).


Reference to create VPC, Subnets (Subnet Association), Route Table, and Internet Gateway has already been configured and attached to the corresponding Entities:

Creating a VPC and subnets

Attaching the new VPC Internet gateway

Creating routing tables and associate subnets

  • If users possess multiple instances in AWS and wish to resolve all instance DNS on their FortiGate (FGT), it is possible to achieve this by creating A records within a privately hosted zone on AWS.
  1. Create two subnets: one designated as the public subnet with a public routing table, which provides access to the internet, and the other as a private subnet.
  2. Create a FortiGate instance and a Windows Server, and ensure that the Windows Server is placed within the private subnet: Deploying FortiGate-VM from AWS marketplace
  3. Add an additional network interface to the private subnet and associate it with the FortiGate instance.
  4. Now, the FortiGate will have two network interfaces, one in the public subnet and the other in the private subnet. (port1 and port2 respectively)


  • Creating a hosted zone on AWS

To create a hosted zone for '' on Amazon Route 53:  follow the  below link:

Creating a public hosted zone








Select the region as well as the VPC.


  • Check the Windows Server's private IP, copy it, and then create an A-type record in this hosted zone for the Windows Server as shown below:
  • In this case, the Windows Server IP is
  • Once that is done, AWS should resolve to


  • DHCP option for VPC:


In Amazon Web Services (AWS), it is possible to configure DHCP option sets for a Virtual Private Cloud (VPC) to provide network configuration settings to instances when they start. These DHCP option sets can include settings such as DNS servers, NTP (Network Time Protocol) servers, domain names, and domain name servers.

Go to VPC -> DHCP option, create a new DHCP option and associate with VPC.


Make sure to use AmazonProvidedDNS as the name server to do not have its own DNS server:

DHCP option sets in Amazon VPC


  • On FortiGate instance:




Once the FortiGate instance is running, uncheck 'Override System DNS' for Port1 and change the DNS servers of FortiGate to FortiGuard servers:

  • The above picture shows settings on port1 (The public port of FortiGate).
  • Use the FortiGuard server for all DNS queries.
  • Try to ping
  • FortiGate is not able to resolve this name however; public DNS is resolving all other queries. (All DNS queries will be forwarded to public DNS)




  • Add a private network interface with the FortiGate instance and keep overriding internal DNS enable.
  • So port 2 settings can be seen in the picture below ( Private subnet).
  • If the ping test is processed again, FortiGate is resolved for
  • Performing a packet capture at this moment will reveal that all DNS queries are being sent to the AWS DNS server, resolving a private domain hosted on AWS.
  • Use hybrid DNS resolution to use on-premises DNS for AWS. Route53 Resolver can serve this purpose.


Enabling the 'Override Internal DNS' option on any interface in this network will route all DNS requests to AWS DNS servers.