In some use cases, users need FortiGate to respond to local DNS queries. So in case the listening interface gets a DNS query it should respond with the local database A records.

The below steps are required to achieve the above:

1. Enable the below option under System -> Feature Visibility -> DNS Database:

From the CLI:

config system settings

    set gui-dns-database enable

end

2. Create a DNS server and local database records: The DNS servers section mentions the interface where the DNS queries are received:

Make sure to add the correct interface so FortiGate can respond to the user's DNS queries.

Under the database section it can be defined as locally hosted DNS entries:

• Select the method as Recursive (details about each option are explained below in this article).
• Mention domain name (zone).

After the zone is specified, server FQDN can be specified as below:

A user trying to access prince.hosted_server FQDN will be getting a response with DNS A record:10.20.30.40.

The test can be done on FortiGate CLI with a ping to FQDN.

Options to enable local DNS servers on FortiGate:

1. Recursive: In this mode firewall will try to check the entry on the local database and if it is not available the query can still be forwarded to the system DNS.
2. Non-Recursive: If no entry is found in the local database, the resolution will fail and the query will not forwarded anywhere.
3. Forward to System DNS: The query needs to be forwarded to the system DNS.
4. Resolver: A recursive query can be sent to a different DNS server.

Related articles:

Technical Tip: DNS database with FortiGate as a slave to a Windows AD DNS master

Technical Tip: DNS conditional forwarding