Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
psunith76
New Contributor

Fortigate 101F DNS Setting

Fortigate 101F
v7.2.4 Build 1396 (Feature)

I am trying to wrap my head around the DNS settings on the firewall.

1. Currently the appliance is configurd to use the DNS of Fortiguard Servers. is it best we change it to Internal DNS servers? The support team advises to keep the fortiguard servers DNS. However, we understand it is best to keep the Internal DNS servers & add the local domain name.

2. DDNS - only if we use the Fortiguard DNS, we can use the Fortiguard DDNS. If we specify our Internal DNS servers, we need to configure a 3rd party DDNS like NOIP etc.

3. MTU value is set to 1500, is it best to change it as per what our ISP supports which is 1462. if so, how?

Appreciate advise on what is best practice. If you notice on the screenshot, there is 110ms & 120ms latency, which goes to 230ms & 290ms

 

Screenshot_70.png

1 REPLY 1
nilmoe
New Contributor II

Hi psunith76,

 

I tried with a little answer.

 

1. DNS - For this topic it depends on what you want to achieve and if you want to implement the Fortigate DNS Security tools like DNS-Filters.

My "best practice" is to point the Fortigates DNS Servers to externally servers like, 1.1.1.1 or 9.9.9.9, FortiGuard Servers work as well, but they come with malware and reputation filters, which you maybe want, maybe not. :)

 

I also add the internal DNS Zones into the DNS Database "Network > DNS Servers" (feature may be hidden, enable in Feature Visibility) These internal zones then get configured with my internal DNS Servers as the zones forwarders. Like this, the Fortigate is able to resolve FQDNs which are located in your internal zones and can be used for FQDN Address objects etc.

If you want you can configure dns-service on interfaces of the fortigate as well and attach a DNS filter right there. That way you know what your clients are trying to resolve and can attach category based filters, which I highly recommend.

 

 

2. DDNS is only necessary, if the IP from your ISP is "dynamic", which means it changes regularly and for this you want a DNS Record pointing to that ip-address e.g. for VPN.

-> if this is the case, you can certainly use FortiDDNS, other Services like NOIP work fine as well. No real best practice there. NOIP needs manual verification every 30days afaik.

 

3. MTU Size can be configured on the desired interface directly.

e.g.

"config system interface"

"edit wan1"

"set mtu-overrride enable"

"set mtu 1462"

"end"

 

Hope this helps.

 

Best Regards

Nils

Labels
Top Kudoed Authors