Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Potato168
New Contributor

What is the "set authoritative disable" used for Fortigate DNS Proxy feature?

Dear all,

 

I wonder what is the use of the "authoritative" for Fortigate DNS Proxy?

 

Is that feature just stopping users from IP changed with the same Domain name?

 

Thanks!

 

 

1 REPLY 1
pminarik
Staff
Staff

"set authoritative enable" basically means "I am the only source of information for this DNS zone, nobody else knows". If an entry does not exist in a zone set to authoritative=enable, the FortiGate will assume that the entry does not exist at all.

 

The difference can be primarily felt in situations where the FortiGate, or the endpoint clients, use both the DNS zones configured on the FortiGate and also forward queries for other requests.

 

Here's a sample scenario you can try:

config system dns-database
    edit "example.com"
        set domain "example.com"
        # set authoritative enable # not visible because it is the default setting
        config dns-entry
            edit 1
                set hostname "xxx"
                set ip 127.0.0.13
            next
        end
    next
end

 

Now try to ping these FQDNs from the FortiGate CLI:
exe ping xxx.example.com => resolved to 127.0.0.13

exe ping www.example.com  => host not found (!)

 

Now edit the DNS zone and set authoritative to "disable". After that, re-run the ping tests:

exe ping xxx.example.com => resolved to 127.0.0.13

exe ping www.example.com  => resolved to 93.184.216.34

 

As you can see, an authoritative zone prevents the FortiGate from checking for DNS records futher upstream, because the setting tells it that it is the only source of DNS records for that zone.

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors