Dear all,
I wonder what is the use of the "authoritative" for Fortigate DNS Proxy?
Is that feature just stopping users from IP changed with the same Domain name?
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
"set authoritative enable" basically means "I am the only source of information for this DNS zone, nobody else knows". If an entry does not exist in a zone set to authoritative=enable, the FortiGate will assume that the entry does not exist at all.
The difference can be primarily felt in situations where the FortiGate, or the endpoint clients, use both the DNS zones configured on the FortiGate and also forward queries for other requests.
Here's a sample scenario you can try:
config system dns-database
edit "example.com"
set domain "example.com"
# set authoritative enable # not visible because it is the default setting
config dns-entry
edit 1
set hostname "xxx"
set ip 127.0.0.13
next
end
next
end
Now try to ping these FQDNs from the FortiGate CLI:
exe ping xxx.example.com => resolved to 127.0.0.13
exe ping www.example.com => host not found (!)
Now edit the DNS zone and set authoritative to "disable". After that, re-run the ping tests:
exe ping xxx.example.com => resolved to 127.0.0.13
exe ping www.example.com => resolved to 93.184.216.34
As you can see, an authoritative zone prevents the FortiGate from checking for DNS records futher upstream, because the setting tells it that it is the only source of DNS records for that zone.
But what if I set the forwarder at the same time? What does the "authoritative" work like?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.