Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

What is the "set authoritative disable" used for Fortigate DNS Proxy feature?

Dear all,


I wonder what is the use of the "authoritative" for Fortigate DNS Proxy?


Is that feature just stopping users from IP changed with the same Domain name?






"set authoritative enable" basically means "I am the only source of information for this DNS zone, nobody else knows". If an entry does not exist in a zone set to authoritative=enable, the FortiGate will assume that the entry does not exist at all.


The difference can be primarily felt in situations where the FortiGate, or the endpoint clients, use both the DNS zones configured on the FortiGate and also forward queries for other requests.


Here's a sample scenario you can try:

config system dns-database
    edit ""
        set domain ""
        # set authoritative enable # not visible because it is the default setting
        config dns-entry
            edit 1
                set hostname "xxx"
                set ip


Now try to ping these FQDNs from the FortiGate CLI:
exe ping => resolved to

exe ping  => host not found (!)


Now edit the DNS zone and set authoritative to "disable". After that, re-run the ping tests:

exe ping => resolved to

exe ping  => resolved to


As you can see, an authoritative zone prevents the FortiGate from checking for DNS records futher upstream, because the setting tells it that it is the only source of DNS records for that zone.

[ corrections always welcome ]

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors