Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
csjjpm
New Contributor II

Created on ‎10-28-2021 02:34 AM

Static DNS entries for internal servers

Hi,

  I have configured the additional DNS Database feature and created a DNS Service on my softwareswitch following these instructions: https://kb.fortinet.com/kb/documentLink.do?externalID=FD49991

 

Would someone be able to clarify something for me?  2 questions:

1.) I guess for each interface (VLAN) I have to change this to 'Specify' and put in my FG ip address as the DNS server.  However, does this replace the DNS settings I've configured in the FG or is it applied in addition?

2.) how is it applied to the VPN subnet?

 

thanks

Paul

Firewall newbie
Firewall newbie
3730
0 Kudos
1 REPLY 1
msander
Staff
Staff

Created on ‎11-18-2021 02:53 AM

Hello Paul,

 

Many thanks for your message.

 

The DNS database will not override the actual system DNS. You can actually see that as a recursive DNS database. As soon as you configure the FGT as DNS Server you can specify that all requests will be forwarded to the configured system DNS or you can specify a recursive lookup. In case of a recursive lookup all request will be sent to the system DNS apart of the configured DNS suffixes in the database. Means all request for internal domain "something.local" will be handled by FGT, while all other request will be forwarded to the System DNS.

 

[Client]----[FGT]----[DNS Server]

                       |

[Configured DNS Database for something.local]

 

Based on that information you would need to specify the FGT as DNS server for each VLAN, where you need recursive lookup. 

 

For the question on VPN:

 

For IPSEC and SSLVPN the Fortigate cannot act as DNS Server on these virtual-interfaces directly.

 

Instead you would need to create a loopback interface, where the DNS service is listening on. In order to reach the loopback interface, you would need to create a route for the client and a firewall policy. Instead of a loopback interface, you could also do the same with the internal IP of a VLAN interface. 

 

I hope this will help you for your design.

 

Best regards,

 

Mathias

There's no place like ::1/128
3503
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.