FortiWAN Configurations

Wildcard Support

A wildcard character is supported by Multihoming’s A records and AAAA records for resolving domain names. However, the wildcard character * can only be used without other character being involved. Mixture of a wildcard character and other ASCII characters, such as “*abc”, “abc*”, “a*bc” and “*.abc”, will not be accepted by Multihoming. A wildcard character matches the DNS queries for any hostname that is not stated in any NS record, primary name server, external subdomains and other A/AAAA records of a domain, and so that the specified A/AAAA policy matches.

For example, we have a domain example.com and its resource records as followings:

Primary name server=ns1, IPv4 Address=10.10.10.1

NS Record: Name Server=ns2, IPv4 Address=10.10.10.2

A Record: Host Name=www, To Policy=policy_www

A Record: Host Name=ftp, To Policy=policy_ftp

A Record: Host Name=*, To Policy=policy_wildcard

External Sudomain Record: Subdomain Name=subdomain1

NS Record of the subdomain: Name Server=ns3, IPv4 Address=20.20.20.1

Any DNS query for hostnames and subdomain excepting “www”, “ftp”, “ns1”, “ns2”, “subdomain1” and

“ns3.subdomain1” will match the wildcard A record and be answered according to the wildcard policy policy_ wildcard.

  • Request for example.com will be answered with 10.10.10.1. l Request for ns2.example.com will be answered with 10.10.10.2.
  • Request for subdomain1.example.com will be answered with 20.20.20.1. l Request for ftp.example.com will be answered by policy_ftp. l Request for www.example.com will be answered by policy_www.
  • Requests for FQDNs such as example.com, abc.d.example.com and abc.d.e.example will be answered by policy_wildcard.

Note that wildcard character is not acceptable to records (NS, MX, TXT and etc.) except A/AAAA.

CName Record

CName (Canonical Name) records are used to alias one hostname to another, so that a host can be known by more than one hostname. The hostname of a host that is stated in an A/AAAA record is called the canonical name of the host. It always require an A/AAAA record for the host first to point an alias to the canonical name in a CName record then. An host can have multiple alias name, but an alias can only be assigned to one host.

Alias Alias name for a host. This field can be configured in two formats: a hostname (prefix) or a FQDN.

Hostname (prefix)

Text string (dot characters within is acceptable) specified here that does not end with a dot character is regarded as a prefix of the alias name, and the base domain specified previously will be appended automatically to this prefix in Multihoming system backend. For example entering “www” or “www.abc” here, if you want to alias a target host1.example.com to www.example.com or www.abc.example.

FQDN

On the contrary, text string (dot characters within is acceptable) specified here that ends with a dot character is regarded as a FQDN of the alias name, and the base domain specified previously will not be appended to it in backend. For example entering “www.example.com.” or “www.abc.example.com.” here, if you want to alias a target host1.example.com to www.example.com or www.abc.example.

Target Canonical name (the real name) of the host that you want to alias. This field can be configured in two formats: a hostname (prefix) or a FQDN.

Hostname (prefix)

Text string specified here that does not contain a dot character is regarded as a hostname (prefix) of the target, and the base domain specified previously will be appended automatically to this hostname in Multihoming system backend. For example entering “host1” here if you want to alias host1.example.com to www.example.com. In this case, this name must be stated in an A/AAAA record first.

FQDN

Text string specified here that contains dot characters is regarded as a FQDN of the target (but text string that ends with a dot character is not acceptable), and the base domain specified previously will not be appended automatically to it in backend. For example entering “host1.example.com” here if you want to alias host1.example.com to www.example.com, or entering “host.otherdomain.com” here if you want to alias an external target host.otherdomain.com to www.example.com. This can be used to configure a CName record for DKIM signing.

TTL Set the TTL (Time to Live) for the CName record.

CName record is a better way to manage alias for a real host than creating multiple A/AAAA records for it, but all the name resolving via CName records will be redirected to the only one A/AAAA record, which is applied to the one A/AAAA record policy. If a host is aliased through multiple A/AAAA records, different A/AAAA records might be applied to each of them.

DName Record

DName (Delegation Name) records are used to alias an entire subtree of a domain to another. An domain can have multiple alias, but an alias can only be assigned to one domain.

Alias Alias name for a domain. Note that domain name of the domain you are setting for will be appended to the value you specify here, to become the final alias name. For example, specifying the Alias field here with “another” in base domain example.com means you alias a domain (the domain you are required to set in Target field) to another.example.com.
Target Target domain that you want to alias.

For in-zone redirection, you should enter “example.com” for the target if you are setting the DName records in the base domain example.com. For example, queries for www.another.example.com will be redirected to www.example.com.

For out-zone redirection, you could enter another domain name here such as “another.com” or others. Queries for www.another.example.com will be redirected to www.another.com then. Of cause, domain another.com must be delegated first.

TTL Set the TTL (Time to Live) for the DName record.
SRV Record
Service Specify the symbolic name prepended with an underscore, for example, _http, _ftp or _imap.
Protocol Specify the protocol name prepended with an underscore, for example, _tcp or _udp.
Priority Specify the relative priority of this service (0 – 65535). Lowest is highest priority.
Weight Specify the weight of this service. Weight is used when more than one service has the same priority. The highest is most frequently delivered. Leave is blank or zero if no weight should be applied.
Port Specify the port number of the service.
Target The hostname of the machine providing this service.
TTL Set the TTL (Time to Live) for the SRV record.
MX Record

MX (Mail Exchanger) record specifies a mail server responsible for accepting recipient email messages for your domain.

TTL Set the TTL (Time to Live) for the MX record.
Host Name The domain name that the mail servers are responsible for. This field can be configured in two formats: a hostname (prefix) or a FQDN.

Hostname (prefix)

Text string (dot characters within is acceptable) specified here that does not end with a dot character is regarded as a prefix of the domain, and the base domain specified previously will be appended automatically to this prefix in Multihoming system backend. For example, if a mail server is responsible for the recipient emails such as user@mail.example.com, enter “mail” here. If the mail server is responsible for the recipient emails such as user@example.com, leave this field blank.

FQDN

Text string (dot characters within is acceptable) specified here that ends with a dot character is regarded as a FQDN of the domain, and the base domain specified previously will not be appended to it in backend. For example, if a mail server is responsible for the recipient emails such as user@mail.example.com, enter “mail.example.com.” here. If the mail server is responsible for the recipient emails such as user@example.com, enter “example.com.” here.

Priority The priority of the mail servers. This value is used to prioritize mail delivery if multiple mail servers for a domain are available (Note that each mail server requires a corresponding MX record).The higher the priority is, the lower the number is.
Mail Server The host name of the mail server responsible for the domain specify in Host Name field. The host must be manually predefined in an A/AAAA record or a CName record. This field can be configured in two formats: a hostname (prefix) or a FQDN.

Hostname (prefix)

Text string specified here that does not contain a dot character is regarded as a hostname (prefix) of the mail server, and the base domain specified previously will be appended automatically to this hostname in Multihoming system backend. For example entering “ms1” here if ms1.example.com is the mail sever responsible for domain mail.example.com or example.com. In this case, this name must be stated in an A/AAAA record first.

FQDN

Text string specified here that contains dot characters is regarded as a FQDN of the mail server (but text string that ends with a dot character is not acceptable), and the base domain specified previously will not be appended automatically to it in backend. For example entering “ms1.example.com.” here if ms1.example.com is the mail sever responsible for domain mail.example.com or example.com, or entering an external mail server “ms.otherdomain.com” here if it is responsible for domain mail.example.com or example.com.

For example, to route emails for recipient user@mail.example.com to a mail server mail1.example.com, it requires the following A/AAAA record and MX record:

  • A/AAAA record: Host Name=mail1, When=All-Time, Source IP=Any Address, To

Policy=Policy_A l MX record: Host Name=mail, Priority=10, Mail Server=mail1

If you want to route emails for recipient user@example.com to mail servers mail1.example.com and mail2.example.com, it requires the following A/AAAA record and MX record:

  • A/AAAA record: Host Name=mail1, When=All-Time, Source IP=Any Address, To

Policy=Policy_A l A/AAAA record: Host Name=mail2, When=All-Time, Source IP=Any Address, To

Policy=Policy_B l MX record: Host Name=[blank], Priority=10, Mail Server=mail1 l MX record: Host Name=[blank], Priority=20, Mail Server=mail2

Mail server mail1.example.com has higher priority and is the more preferred for recipient emails user@example.com.

TXT Record (multiple TXT records on one hostname is allowed)

TXT (Text) record provides text information a host. The text can be used for a variety of purposes depending on what you’re using the TXT record for. For example, Sender Policy Framework (SPF) is one of the most common uses for TXT records. TXT records can also be used to describe a server, network, data center, and other accounting information by containing human readable information.

TTL Set the TTL (Time to Live) for the TXT record.
Host Name The prefix of a domain name that the TXT record is used for. This field can be configured in two formats: a hostname (prefix) or a FQDN.

Hostname (prefix)

Text string specified here that does not contain a dot character is regarded as a hostname (prefix) of the domain, and the base domain will be appended automatically to this hostname in Multihoming system backend. For example, if this TXT record is used for a domain mail.example.com, enter “mail” here. If the TXT record is used for base domain example.com, leave this field blank.

FQDN

Text string specified here that contains dot characters is regarded as a FQDN of the domain, and the base domain will not be appended automatically to this it in backend. For example, if this TXT record is used for a domain mail.example.com, enter “mail.example.com” here. If the TXT record is used for base domain example.com, enter “example.com” here.

TXT Free form text data of any type or information in format <attribute name>=<attribute value> for specific purposes. For example using a TXT record for SPF to fight spam, you could specify “v=spf1 a:mail ip4:10.16.130.2/24 ~all” here, which means emails sent from domain IP 10.16.130.2/24 are effective, while emails sent from other IPs are assumed as spams.
External Subdomain Record (available only in non-relay mode)

External subdomain records are used to delegate the responsibility for subdomains to other name servers, which means the responsibility for the administration of a subdomain (such as child) of the base domain (such as example.com) will be delegated to another management group (such as child.example.com). Multihoming (the name server of base domain example.com) is responsible for redirecting all the queries which end with child.example.com to the subdomain name servers.

Subdomain Name The prefix of the delegated subdomain. For example, if the delegated subdomain is child.example.com, enter child here. Note that this name can not be a duplicate of what is specified to the A/AAAA, NS, CName, DName or MX record in the base domain.
NS Record Specify the external name servers that the subdomain is delegated to. The NS records here will point the subdomain to the responsible name servers. Note that Multihoming only answers the IP addresses of external name servers authoritative for the subdomain to the queries for anything in the subdomain. So please have the external name servers (another machines) configured and online first. If the name servers authoritative for the subdomain is not a FortiWAN running Multihoming, inbound load balancing is not available for the subdomain.
Name Server Hostname (prefix) or FQDN of the external name server authoritative for the subdomain. Enter “ns1” or “ns1.child.example.com.”, if the name server’s FQDN is “ns1.child.example.com” for example. See section NS Record above for details.
IPv4 Address IPv4 address of the name server.
IPv6 Address IPv6 address of the name server.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.