Set DNS server to FortiWAN

Leave a reply

Set DNS server to FortiWAN

As an edge router, FortiWAN connects the external and internal networks to provide necessary valuable functions for incoming and outgoing service accesses. Among the functions, domain name resolution plays an important role for service accesses. The following is an overview about the DNS deployment on FortiWAN, according to source of the DNS query.

Set DNS server to FortiWAN

For external users who want to access your domain

If you provide network services (such as HTTP, FTP or SMTP) to Internet, no matter how you deploy the servers (deploy them in DMZ or LAN) you will need also provide the resolution of your domain name to users who want to access your services from Internet. You may manage your domain simply by a DNS hosting or FortiWAN’s Multihoming (See “Multihoming”). Multihoming is basically a DNS server providing standard name resolution to Internet users, moreover it provides load balancing and fail over to inbound traffic.

For internal users who want to access internal or external servers

It requires a DNS server for any user to resolve a external domain he want to access through Internet. Usually, this DNS server could be a ISP’s DNS server or any registered public DNS server. An user can configure the setting of DNS server on its own computer manually or automatically be allocated by DHCP. This DNS server is also necessary to FortiWAN itself for some operations. Several FortiWAN’s functions, such as sending logs and

notifications, ping and traceroute commands, require DNS resolution if the target is a FQDN (fully qualified domain name). Through Web UI System > Network Setting > DNS Server, you can manually set the DNS server to FortiWAN. FortiWAN’s DHCP (also SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”) allocate the DNS servers set here to users in LAN or DMZ subnet if the users’ computers are set to automatically get DNS by DHCP.

On the other hand, if you want to maintain an internal DNS server in your site, FortiWAN provides Internal DNS

(see “Internal DNS”) for managing your domain to internal users (the users in LAN or DMZ subnet). An user in

LAN or DMZ subnet need to manually configure the DNS server on his computer for using the FortiWAN’s Internal

DNS (set DNS server as IP address of the gateway he connects to). It is unable to automatically allocate FortiWAN’s internal DNS to users by FortiWAN’s DHCP. The Internal DNS is recursive, which allows users to resolve other people’s domains (external domains). The DNS servers set here (System > Network Setting > DNS Server) will be asked by Internal DNS while it recursively resolve an unknown domain. Of cause that you can also set up a standalone internal DNS server to manage your domain for internal users, but this is the category of FortiWAN.

The last feature about DNS that FortiWAN provides is DNS Proxy, which is a mechanism to redirect outgoing DNS queries to other DNS servers according to WAN links loading. This is not the well-known DNS proxy, but is a solution for ISP peering issue (See “DNS Proxy” and “Optimum Route Detect”).

Back to System > Network Setting > DNS Server, it enables administrators to define the host name the FortiWAN in the network, the IPv4/IPv6 address of domain name servers used by FortiWAN, and the suffix of the domain name. The following is the list of FortiWAN’s functions that might require the DNS servers set here.

System > Diagnostic Tools Ping and Trace (See “Diagnostic Tools”)
System > Date/Time Synchronize system time through NTP server (See “Setting the system time & date”)
Service > Internal DNS Recursively resolve an unknown domain (see “Internal DNS”)
Log > Control SMTP and FTP Server Settings (See “Log Control”)
Log > Notification SMTP Server Settings (See “Log Notification”)
CLI Ping and Traceroute Commands (See “Console Mode Commands”)
FQDN Maintain the FQDN mapping in system for supporting FQDN in management policies (See “Basic concept to configure via Web UI” in “Using the Web UI”).

Configure the setting

Hostname Name for this FortiWAN appliance.
IPv4 Domain Name Server IPv4 DNS servers for this FortiWAN itself to resolve unknown domains. The maximum of three IPv4 addresses is allowed. The DNS servers set here will be used in a top-down order, if the DNS request timed out.
IPv6 Domain Name Server IPv6 DNS servers for this FortiWAN itself to resolve unknown domains. The maximum of three IPv6 addresses is allowed. The DNS servers set here will be used in a top-down order, if the DNS request timed out.
Domain Name Suffix Primary domain suffix of this FortiWAN appliance.

Note: Incomplete DNS server configurations will not influence the performance of the functions listed above. Only IP address is necessary instead of the FQDN.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.