fortidns version 1.1 setup and administration...

FortiDNS Version 1.1

Setup and Administration Guide

FortiDNS Version 1.1 Setup and Administration Guide

August 3, 2012

4th Edition

Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are

registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks

of Fortinet. All other product or company names may be trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal conditions,

and performance may vary. Network variables, different network environments and other

conditions may affect performance results. Nothing herein represents any binding commitment

by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the

extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a

purchaser that expressly warrants that the identified product will perform according to the

performance metrics herein. For absolute clarity, any such warranty will be limited to

performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise

this publication without notice, and the most current version of the publication shall be

applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://kb.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

Contents

F

4

h

Contents

Introduction 5

Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Setting up FortiDNS 8

Installing FortiDNS hardware platforms . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing FortiDNS-VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

FortiDNS-VM image installation and initial setup . . . . . . . . . . . . . . . . . . 8

Administrative access - VM and hardware . . . . . . . . . . . . . . . . . . . . . . . . 9

Web-based manager access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Managing system administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

One-factor or two-factor authentication . . . . . . . . . . . . . . . . . . . . . . 10

Setting the system time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Configuring network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Upgrading the firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Backing up and restoring configuration . . . . . . . . . . . . . . . . . . . . . . 12

Installing a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Adding FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

FortiDNS and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Monitoring FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

FortiToken device maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring SNMP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring an SNMP threshold . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring an SNMP v1 and v2c community. . . . . . . . . . . . . . . . . 15

Configuring an SNMP v3 user . . . . . . . . . . . . . . . . . . . . . . . . . 16

Monitoring FortiDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

System Information widget. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

System Resources widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Top Clients widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

DNS Request Summary widget . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Top Domains widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

DHCP server configuration 18

DNS service 20

Configuring outbound queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

ortiDNS Version 1.1 Setup and Administration Guide

th Edition 3ttp://docs.fortinet.com/ • Document feedback

mailto:[email protected]?subject=Feedback&body=How can we improve this document?

Contents

F

4

h

Configuring access control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Blacklisting IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring DNS forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring conditional forwarding . . . . . . . . . . . . . . . . . . . . . . . . 22

Creating stub zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring UDP packet size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Entering trust anchor keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Disabling DNSSEC for a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Logging 25

Search button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Log entry order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Exporting the log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Index 26




Introduction

F

4

h

IntroductionWelcome and thank you for selecting Fortinet products for your network protection.

Domain Name System (DNS), the method of translating names to device IP addresses, is

the lifeblood of the internet. Without it, e-mail cannot be sent, web sites cannot be found

and access to the internet in general grinds to a halt. If compromised, DNS can open an

organization up to attack and subversion via the redirection of users to malicious content.

It is one of the most critical but often overlooked components of business continuity.

The problem with DNS is that it is complicated, prone to misconfiguration, and requires

interaction at the command line. FortiDNS has been designed as a highly secure caching

DNS system to replace existing legacy solutions and is 100% GUI based to reduce the

risk of configuration error.

FortiDNS is built with security in mind. In keeping with other Fortinet solutions, security is

the key requirement of the FortiDNS solution, and to achieve this, Fortinet have partnered

with Nominum, one of the leading DNS solutions providers to power the core of the

solution. Developed by Fortinet and powered by Nominum, FortiDNS introduces

significant security benefits including:

• Hardened appliance format with GUI driven configuration significantly reduces the

complexity of deployment and reduces operational overheads.

• “Powered by Nominum” delivers market leading carrier class DNS to the enterprise

• High performance DNS caching speeds up name resolution and ultimately network

performance

• Strengthens enterprise security with a highly secure implementation supporting

methods including:

• Transaction ID Randomization

• UDP Source Port Randomization

• Case (query name) Randomization

• IPv6 and DNSSEC support enables deployment with confidence that future

requirements will be covered.

• Integrates with FortiToken two-factor authentication to enable secure remote

management

Figure 1 shows the workflow of the FortiDNS.




Introduction Scope

F

4

h

Figure 1: FortiDNS workflow

This section includes:

• Scope

• Registering your Fortinet product

Scope

This document describes how to use the FortiDNS web-based manager. It assumes you

have already successfully installed the FortiDNS by following the instructions in the

QuickStart Guide and “Installing FortiDNS hardware platforms” on page 8 and “Installing

FortiDNS-VM” on page 8.

At this stage:

• You have administrative access to the web-based manager and/or CLI.

• The FortiDNS is integrated into your network.

• Firmware update has been completed.

Once that basic installation is complete, you can use this document. This guide explains

how to use the web-based manager to:

• maintain the FortiDNS, including backups

• configure basic items such as system time, DNS settings, administrator password,

and network interfaces

• configure advanced features, such as DNS service and logging

Step 1: What is the IP of www.example.com?

FortiDNS

Root Server

Step 2: Where to find the IP of www.example.com?

Step 3: Go and check the .com namespace.

.com Namespace

Step 5: Go and check the example.com nameserver.

Step 4: What is the IP of www.example.com?

example.comPrimary Server Step 6: What is the IP of

www.example.com?

Step 7: The IP of www.example.comis 100.10.1.2.

Step 8: The IP of www.example.comis 100.10.1.2.




Introduction Registering your Fortinet product

F

4

h

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your

Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.

Many Fortinet customer services, such as firmware updates, technical support, and

FortiGuard Antivirus and other FortiGuard services, require product registration.





Setting up FortiDNS Installing FortiDNS hardware platforms

F

4

h

Setting up FortiDNSThe following section provides information about setting up the VMware (VM) version of

the product (FortiDNS-VM).


• Installing FortiDNS hardware platforms

• Installing FortiDNS-VM

• Administrative access - VM and hardware

• Managing system administrators

• Setting the system time

• Configuring network settings

• System maintenance

• Adding FortiToken devices

• Configuring SNMP settings

• Monitoring FortiDNS

Installing FortiDNS hardware platforms

For information about installing the FortiDNS hardware platforms, see the QuickStart

Guides provided with your unit.

Installing FortiDNS-VM

Before using FortiDNS-VM, you need to install the VMware application to host the

FortiDNS-VM device. The installation instructions for FortiDNS-VM assume you are

familiar with VMware products and terminology.


• System requirements

• FortiDNS-VM image installation and initial setup

System requirements

The minimum system requirements for a computer running the FortiDNS VM image

include:

• Installed latest version of VMware Player, Fusion, Workstation, or Server.

• 512 MB of RAM minimum

• one virtual NIC minimum, to a maximum of four virtual NICs

• minimum of 3 GB free space

FortiDNS-VM image installation and initial setup

The following procedure describes setup on VMware Fusion.

To set up the FortiDNS-VM image

1 Download the VM image ZIP file to the local computer where VMware is installed.

2 Expand the ZIP file into a folder.




Setting up FortiDNS Administrative access - VM and hardware

F

4

h

3 In VMware Fusion, go to File > Open.

4 Navigate to the expanded VM image folder, select the FortiDNS-VM.vmx file and

select Open.

VMware will install and start FortiDNS-VM. This can take a minute.

5 At the FortiDNS login prompt, enter admin and press Enter. At the password prompt,

press Enter. By default, there is no password.

6 At the CLI prompt enter the following commands:

set port1-ip 192.168.1.99/24set default-gw 192.168.1.1

Substitute your own desired FortiDNS IP address and default gateway.

You can now connect to the web-based manager at the address you set for port1-ip.

Administrative access - VM and hardware

Administrative access is enabled by default on port 1.


• Web-based manager access

• Telnet

• SSH

Web-based manager access

To use the web-based manager, point your browser to the Port1 IP address (default

address is 192.168.1.99). For example,

http://192.168.1.99Enter admin as the User Name and leave the Password field blank.

For secure access, you can enter https instead of http in the URL.

Telnet

CLI access is available using telnet to the Port1 interface IP address, default

192.168.1.99. Use the telnet -K option (for Linux/Unix) so that telnet does not attempt to

log on using your user ID. For example:

$ telnet -K 192.168.1.99At the FortiDNS login prompt, enter admin. When prompted for password, just press

Enter. By default there is no password. When you are finished, use the exit command to

end the telnet session.

SSH

SSH provides secure access to the CLI. Connect to the Port1 interface IP address,

default 192.168.1.99. Specify the user name admin or SSH will attempt to log on with

your user name. For example:

$ ssh [email protected] the password prompt, just press Enter. By default there is no password. When you are

finished, use the exit command to end the session.




Setting up FortiDNS Managing system administrators

F

4

h

Managing system administrators

Before you start to use FortiDNS, it is recommended you change the default admin’s

password or add a new administrator. By default, the default admin user does not have a

password.


• One-factor or two-factor authentication

To change the administrator’s password

1 Log on to the web-based manager.

2 Go to System > Admin > Administrators.

3 Select the administrator of which you want to change the password.

4 Click Change Password.

5 Enter a new password and confirm it.

6 Click OK.

To add a new administrator


2 Go to System > Admin > Administrators and click Create New.

3 Enter the user name, password, and confirm the password.

4 Click OK.

5 Select Two-factor authentication and a security token.

For more information, see “One-factor or two-factor authentication” on page 10.

6 Collapse User Information and enter the information required.

7 Collapse Password Recovery Options.

8 Select Email to send the recovered password to the email address entered in User

Information or to other email addresses entered by clicking Manage alternative emails.

9 Select Security Question and click Edit to enter a security question answer, and click

OK.

10 Click OK.

One-factor or two-factor authentication

The standard logon requires the user to know the password. This is one-factor

authentication. Two-factor authentication adds the requirement for another piece of

information for logon. Generally the two factors are something you know (password) and

something you have (certificate, token). This increases the difficulty for an unauthorized

person to impersonate a legitimate user.

The FortiDNS unit supports FortiToken devices for the second factor in two-factor

authentication. For information about how to add a FortiToken device, see “Adding

FortiToken devices” on page 13.

Setting the system time

To use many of the FortiDNS feature, such as logging and FortiToken authentication, it is

critical to set the system time accurately.




Setting up FortiDNS Configuring network settings

F

4

h

To set the system time


2 Go to System > Dashboard > Status.

3 In System Information, select Change in the System Time field.

4 Select your time zone from the list.

5 Either enable NTP or set the date/time manually.

Enter a new time and date by either typing it manually, selecting Today or Now, or

select the calendar or clock icons for a more visual method of setting the date and

time.

6 Click OK.

Configuring network settings

For the client users to access FortiDNS, you must configure FortiDNS IP address and

gateway IP, and allow user access on the interfaces.

To initially setup FortiDNS on your network


2 Go to System > Network > Interfaces to set the IP address, subnet mask, and access

rights for each interface.

3 Click OK.

4 Go to System > Network > Default Gateway to set the gateway for each interface as

required.

5 Click OK.

System maintenance

System maintenance tasks are limited to changing the firmware, and backing up or

restoring the configuration file.


• Upgrading the firmware

• Backing up and restoring configuration

• Installing a license

• CLI commands

Upgrading the firmware

Firmware upgrades fix known issues, ensure features work as expected, and generally

improve your FortiDNS experience.

To upgrade the firmware, you must first register your FortiDNS with Fortinet. See

“Registering your Fortinet product” on page 7.

To upgrade FortiDNS firmware

1 Download the latest firmware to your local computer from the Fortinet Technical

Support web site, https://support.fortinet.com.

2 On FortiDNS, go to System > Maintenance > Firmware, or System > Dashboard >

Status and click Upgrade for Firmware Version.





Setting up FortiDNS System maintenance

F

4

h

3 Select Browse, and locate the new firmware image on your local computer.

4 Select OK.

When you select OK, the new firmware image will upload from your local computer to the

FortiDNS, which will then reboot. You will experience a short period of time during this

reboot when the FortiDNS is offline.

Backing up and restoring configuration

You can back up the configuration of the FortiDNS to your local computer. This

configuration file backup includes both the CLI and web-based manager configuration of

the FortiDNS.

To restore the configuration of your FortiDNS, go to System > Maintenance > Config, or

System > Dashboard > Status and click Backup/Restore for System Configuration.

Browse to the location of the backup file on your local computer, and select Restore. You

will be prompted to confirm the restore action, and approve the reboot. Upon

confirmation a message will be displayed stating that the system is starting the restore

process. When the restore and system reboot is completed, you must login.

Installing a license

To be able to use FortiDNS, you must have a valid license. To obtain a license, contact

your FortiDNS reseller or Fortinet Technical Support.

To install a license

1 Go to System > Maintenance > License.

2 Click Browse to locate the license file on your local PC.

3 Click OK.

CLI commands

The FortiDNS has CLI commands that are accessed using a console, Telnet, or SSH

session port. Their purpose is to initially configure the unit, perform a factory reset, or

reset the values using a telnet session if the web-based manager is unaccessible for

some reason.

When you restore the backup file, it will overwrite existing information and require a

FortiDNS reboot. Any information changed since the backup will be lost. Any active

sessions will be ended and must be restarted. You will have to log back in when the

system reboots.

help Display list of valid CLI commands. You can also

enter ? for help.

set port1-ip <addr_ipv4mask>

Enter the IPv4 address and netmask for the port1

interface. Netmask is expected in the /xx format,

for example 192.168.0.1/24.

Once this port is configured, you can use the

web-based manager to configure the remaining

ports.

set default-gw <addr_ipv4> Enter the IPv4 address of the default gateway for

this interface. This is the default route for this

interface.




Setting up FortiDNS Adding FortiToken devices

F

4

h

Adding FortiToken devices

A FortiToken device is a disconnected one-time password (OTP) generator. It is a small

physical device with a button that when pressed displays a six digit authentication code.

This code is entered with a user’s username and password as two-factor authentication.

The code displayed changes every 60 seconds. When not in use the LCD screen is

blanked to extend the battery life.

The device has a small hole in one end. This is intended for a lanyard to be inserted so

the device can be worn around the neck, or easily stored with other electronic devices.

Do not put the FortiToken on a key ring as the metal ring and other metal objects can

damage it. The FortiToken is an electronic device like a cell phone and should be treated

with similar care.


• FortiDNS and FortiTokens

• Monitoring FortiToken devices

• FortiToken device maintenance

set date <YYYY-MM-DD> Enter the current date. Valid format is four digit

year, 2 digit month, and 2 digit day. For example

set date 2011-08-12 sets the date to August 12th,

2011.

set time <HH:MM:SS> Enter the current time. Valid format is two digits

each for hours, minutes, and seconds. 24-hour

clock is used. For example 15:10:00 is 3:10pm.

set tz <timezone_index> Enter the current time zone using the time zone

index. To see a list of index numbers and their

corresponding time zones, enter set tz ? .

unset <setting> Restore default value. For each set command

listed above, there is an unset command, for

example unset port1-ip.

show Display current settings of port1 IP, netmask,

default gateway, and time zone.

exit Terminate the CLI session.

reboot Perform a hard restart the FortiDNS unit. All

sessions will be terminated. The unit will go offline

and there will be a delay while it restarts.

factory-reset Enter this command to reset the FortiDNS

settings to factory default settings. This includes

clearing the user database.

This procedure deletes all changes that you have

made to the FortiDNS configuration and reverts

the system to its original configuration, including

resetting interface addresses.

shutdown Turn off the FortiDNS.

status Display basic system status information including

firmware version, build number, serial number of

the unit, and system time.




Setting up FortiDNS Configuring SNMP settings

F

4

h

FortiDNS and FortiTokens

If you enable two-factor authentication when adding an administrator (see “Managing

system administrators” on page 10), you must enter the FortiToken serial number to the

FortiDNS unit, which then contacts Fortinet FortiGuard servers to verify the information

before activating the FortiToken device.

To add FortiToken devices

1 Go to System > Admin > FortiTokens.

2 Select Create New and enter the FortiToken device serial number. If there are multiple

numbers to enter, select the + icon to switch to a resizable multiple-line entry box.

3 Select OK.

Monitoring FortiToken devices

To monitor the total number of FortiToken devices registered on the FortiDNS unit, as well

as the number of disabled FortiTokens, go to System > Admin > FortiTokens.

You can also view the list of FortiTokens, their status, if their clocks are drifting, and which

user they are assigned to.

FortiToken device maintenance

Go to System > Admin > FortiTokens and select Edit for the device. Do any of the

following:

• Disable a device when it is reported lost or stolen.

• Re-enable a device when it is recovered.

• Synchronize the FortiDNS and the FortiToken device when the device clock has

drifted. Synchronizing ensures that the device provides the token code that the

FortiDNS unit expects, as the codes are time-based. Fortinet recommends

synchronizing all new FortiTokens.

Configuring SNMP settings

Go to System > Admin > SNMP to configure SNMP to monitor FortiDNS system events

and thresholds.

To monitor FortiDNS system information and receive FortiDNS traps, you must compile

Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP

manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and

most of RFC 1213 (MIB II).

The FortiDNS SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant

SNMP managers have read-only access to FortiDNS system information and can receive

FortiDNS traps.

The FortiDNS SNMP v3 implementation includes support for queries, traps,

authentication, and privacy. Before you can use its SNMP queries, you must enable

SNMP access on the network interfaces that SNMP managers will use to access the

FortiDNS. For more information, see “Configuring network settings” on page 11.


To register FortiToken devices, you must have a valid FortiGuard connection. Otherwise

any FortiToken devices you enter will remain at Inactive status.




http://tools.ietf.org/html/rfc2665

http://tools.ietf.org/html/rfc1213

Setting up FortiDNS Configuring SNMP settings

F

4

h

• Configuring an SNMP threshold

Configuring an SNMP threshold

Configure under what circumstances an event is triggered.

To set SNMP thresholds

1 Go to System > Admin > SNMP.

2 Configure the following:

3 Click Apply if you set any threshold levels.

Configuring an SNMP v1 and v2c community

An SNMP community is a grouping of equipment for SNMP-based network

administration purposes. You can add up to three SNMP communities so that SNMP

managers can connect to the FortiDNS to view system information and receive SNMP

traps. You can configure each community differently for SNMP traps and to monitor

different events. You can add the IP addresses of up to eight SNMP managers to each

community.

To configure an SNMP community


2 Under SNMP v1/v2c, click Create New to add a community or select a community

and click Edit.

The SNMP Community page appears.


GUI item Description

Description Enter a descriptive name for the FortiDNS.

Location Enter the location of the FortiDNS.

Contact Enter administrator contact information.

CPU utilization

trap threshold

Enter the percentage a trigger value is reached before triggering a CPU utilization trap. The default value is 90.

Memory

utilization trap

threshold

Enter the percentage a trigger value is reached before triggering a memory utilization trap. The default value is 90.

DNS client trap

threshold

Enter the number of DNS clients to be reached before triggering a DNS client trap. The default value is 0.

DNS request rate

trap threshold

Enter the number of DNS queries per second to be reached before triggering a DNS request rate trap. The default value is 0.


Community

name

Enter a name to identify the SNMP community. If you are editing an existing community, you cannot change the name.

Event Enable each SNMP event for which the FortiDNS should send traps to the SNMP managers in this community.

SNMP Hosts Lists SNMP managers that can use the settings in this SNMP community to monitor the FortiDNS. Click Add another SNMP host to create a new entry.

IP/Netma

sk

Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP community.




Setting up FortiDNS Monitoring FortiDNS

F

4

h

4 Click OK.

Configuring an SNMP v3 user

SNMP v3 adds more security by using authentication and privacy encryption. You can

specify an SNMP v3 notification host to which the FortiDNS sends traps.

To configure an SNMP v3 user


2 Under SNMPv3, click Create New to add a user or select a user and click Edit.

The SNMPv3 User page appears.


4 Click OK.

Monitoring FortiDNS

Go to System > Dashboard > Status to display the following FortiDNS system

information. You can add a widget by clicking the Add Widget button or close a widget by

clicking the Close icon (X mark) on the widget.


• System Information widget

• System Resources widget

• Top Clients widget

• DNS Request Summary widget

• Top Domains widget

System Information widget

The System Information widget displays the serial number and basic system statuses

such as the host name, serial number, firmware version, system time, and up time.

In addition to displaying basic system information, you can also configure the system

time, firmware version, system configuration, and shutting down or rebooting the

FortiDNS.

Queries Mark the check box to activate queries for each SNMP version.

Traps Select the check box to enable traps for each SNMP version that the SNMP managers use.

Delete

(X icon)

Click to remove this SNMP manager.



SNMP

Notification

Hosts

Lists the SNMP managers that FortiDNS sends traps to. Click Add Another SNMP notification host to create a new entry.

IP

Address

Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP user.

Delete

(X icon)

Click to remove this SNMP manager.




Setting up FortiDNS Monitoring FortiDNS

F

4

h

System Resources widget

The System Resources widget displays the CPU and memory usage levels over time.

Top Clients widget

The Top Clients widget displays the IP addresses that requested the most DNS service

over time. You can blacklist any top DNS client from this widget.

DNS Request Summary widget

The DNS Request Summary widget displays the number of DNS service requests over

time.

Top Domains widget

The Top Domains widget displays the most-visited domains over time.

Table 1: System Information widget


Host Name The host name of the FortiDNS

Serial Number The serial number of the FortiDNS. The serial number is specific to the FortiDNS hardware and does not change with firmware upgrades. Use this number when registering the hardware with Fortinet Technical Support.

System Time The current date and time according to the FortiDNS’s internal clock.

Click Change to change the time or configure the FortiDNS to get the time from an NTP server. See “Setting the system time” on page 10.

Firmware Version The version of the firmware currently installed on the FortiDNS.

Click Upgrade to install firmware. See “Upgrading the firmware” on page 11.

System

Configuration

The time when the system configuration settings were backed up.

Click Backup/Restore to backup or restore the configuration. See “Backing up and restoring configuration” on page 12.

Current

Administrator

The FortiDNS administrator currently logged on to the system. To configure the administrators, see “Managing system administrators” on page 10.

Uptime The time in days, hours, and minutes since the FortiDNS was started.

Shutdown/Reboot Click to close or restart the FortiDNS operating system.

Vantio License The validity of the Vantio NXR Service Delivery Module license.




https://support.fortinet.com/

DHCP server configuration

F

4

h

DHCP server configurationA DHCP server provides an address to a client on the network, when requested, from a

defined address range.

You can configure one or more DHCP servers on FortiDNS. A DHCP server dynamically

assigns IP addresses to hosts on the network connected to FortiDNS. The host

computers must be configured to obtain their IP addresses using DHCP.

FortiDNS DHCP server supports IPV4 and IPv6.

To configure a DHCP server

1 Go to DHCP > DHCP > Config.

2 Click Create New.



General

Enable Select to activate this DHCP server.

Name Enter a name for this DHCP server.

Lease time Set the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client request for an IP address.

Lease format Select a format for lease time.

Network Enter the DHCP subnet.

Netmask Enter the netmask of the addresses that the DHCP server assigns.

Search domain Enter the domain that the DHCP server assigns to clients.

Default Gateway Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

DNS #1 Add the IP address of the first DNS server that the DHCP server assigns to DHCP clients.

DNS #2 Add the IP address of the second DNS server that the DHCP server assigns to DHCP clients.

DNS #3 Add the IP address of the third DNS server that the DHCP server assigns to DHCP clients.

DHCP Ranges

Add Another

DHCP Range

Click the plus (+) sign to add a DHCP range.

Configuration

Type

If you select IP Range, enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients.

If you select Network, enter the subnet of this DHCP server.

DHCP Reservations

Add Another

DHCP

Reservation

Click the plus (+) sign to add a DHCP reservation.

Name Enter the name for the DHCP reservation.




DHCP server configuration

F

4

h

4 Click OK.

IP Address Enter the IP address from the DHCP server to match a specific client or device using its MAC address.

In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address, that is, there is no lease time, use IP reservation.

MAC/Device ID Enter the MAC address of the client to which you want to match the IP address from the DHCP server.

Description Optionally, add a note about this DHCP reservation.





DNS service Configuring outbound queries

F

4

h

DNS serviceDNS is designed to be open and distributed and uses the User Datagram Protocol (UDP).

Therefore it is vulnerable to various forms of attack. FortiDNS provides a set of protective

measures.

This section contains the following topics:

• Configuring outbound queries

• Configuring access control rules

• Blacklisting IP addresses

• Configuring DNS forwarding

• Configuring UDP packet size

• Entering trust anchor keys

• Disabling DNSSEC for a domain

Configuring outbound queries

You can configure the Internet protocols the FortiDNS uses when sending queries to the

name servers. You can also enable query case randomization to protect against cache

poisoning attacks.

Because of the important role of DNS for Internet navigation, attackers use a variety of

tricks to compromise it, such as cache poisoning attacks. Such attacks attempt to

replace legitimate DNS data with fake DNS data to control users’ Internet navigation. For

example, if an attacker can insert a fake record for a bank’s website, they could secretly

intercept the bank’s traffic.

To configure outbound queries

1 Go to DNS > DNS > General.

2 Select Use query case randomization if required.

Query case randomization is a technique used to make DNS queries more resistant to

poisoning attacks by mixing the upper and lower case spelling of the domain name in

the query, such as converting www.example.com into wWw.eXaMpLe.CoM. Since

most name servers preserve the mixed case-encoding in the answer that they send,

attackers trying to poison a DNS cache must therefore guess the mixed-case

encoding of the query, on top of all other fields required in a DNS poisoning attack.

This increases the difficulty of the attack.

3 In the Outbound queries field, choose an Internet protocol for sending queries to the

name servers.

4 Click OK.

Configuring access control rules

Use the access control list (ACL) to allow or block client access to the FortiDNS

interfaces.

To create an access control rule

1 Go to DNS > DNS > ACL.




DNS service Blacklisting IP addresses

F

4

h

2 Click Create New.

3 For Title, enter a rule title.

4 Optionally enter a description.

5 For Access, select Allow or Block.

6 Enter the source IP to allow or block. Use the netmask, the portion after the slash (/) to

specify the matching subnet. For example, enter 10.10.10.10/24 to match a 24-bit

subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in

the access control rule table, with the 0 indicating that any value is matched in that

position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the

10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

7 Select the interface to apply the rule.

8 Click OK.

Blacklisting IP addresses

You can blacklist IP addresses and do not allow them to access FortiDNS.

To create a black list

1 Go to DNS > DNS > Blacklist.

2 Click Create New.

3 For Title, enter a rule title.

4 Enter the source IP to block. Use the netmask, the portion after the slash (/) to specify

the matching subnet. For example, enter 10.10.10.10/24 to match a 24-bit subnet, or

all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access

control rule table, with the 0 indicating that any value is matched in that position of the

address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the

10.10.10.10 address.

5 Click OK.

Configuring DNS forwarding

You can configure the FortiDNS to forward the queries they cannot resolve locally to

another DNS server - the forwarder. By using a forwarder, you can manage name

resolution for names outside of your network, such as names on the Internet, and

improve the efficiency of name resolution for the hosts in your network. DNS forwarding

also adds extra privacy to your network because all requests come from one point and

exposed details about the network internals are reduced.

You can configure conditional forwarding (forwarding rules) or create stub zones for DNS

forwarding:

• Conditional forwarding can be applied to resolve Internet names or when your

organization has a DNS server responsible for your entire namespace.

• Stub zones are used if you want a DNS server hosting a parent zone to keep a current

list of the authoritative DNS servers for the child zones. As authoritative DNS servers

are added and removed, the list is automatically updated.




DNS service Configuring DNS forwarding

F

4

h


• Configuring conditional forwarding

• Creating stub zones

Configuring conditional forwarding

Configure a conditional forwarder to handle name resolution only for a specific domain.

Typically, a conditional forwarder is used if your network has a dedicated forwarder DNS

server that handles all DNS requests that need to be resolved on the public Internet. You

can configure the FortiDNS forwarding rule to point to such a forwarder.

FortiDNS has a default forwarder with the domain name Root which applies to all

domains contained in the queries. This option helps alleviate the workload on the DNS

forwarder because FortiDNS caches some answers. FortiDNS only sends the queries to

the forwarder when it cannot find the answers from its cache.

In addition to the default forwarder, you can configure other specific forwarders to deal

with name resolutions for some specific domains that you feel necessary. For example,

you can configure the FortiDNS to forward any requests in the domain “example.com”

directly to a specific name server that is authoritative for that domain. Such a

configuration can speed up the name resolution process by eliminating the need to use

the default forwarder in the first place.

To configure a conditional forwarder

1 Go to DNS > DNS > Forwarding.

2 Under DNS Forwarding Rules, click Create New.

3 For Domain, enter the domain name for which FortiDNS will forward queries.

4 Select a forwarding method:

• Forwarding only: FortiDNS will only forward the queries to the forwarder.

• Forwarding and/or default resolution: FortiDNS will use the default forwarder first

and forward the queries to the forwarder if it cannot find the answers from the

cache of the default forwarder.

• Disabled: FortiDNS will not use the default forwarder or forward any queries.

5 Under Name Servers, click Add another name server.

6 Enter the IP address of the forwarder for the domain name specified. Repeat if you

have more forwarders for this domain to add.

7 Click OK.

Creating stub zones

Compared with conditional forwarding, a stub zone’s advantage is that its information is

dynamic. In the case of conditional forwarding, whenever the authoritative DNS servers

for the child zone changes, the conditional forwarder setting on the DNS server hosting

the parent zone will need to be manually configured with the IP address for each new

authoritative DNS server for the child zone.

You cannot remove a default forwarder, although you can modify its forwarding method

and forwarder address.




DNS service Configuring UDP packet size

F

4

h

If you have multiple levels of domain hierarchy, you can use stub zones to simplify name

resolution instead of DNS servers querying the root server. For example, you have the

following domain hierarchy:

• forest - example.com

• tree - tm.example.com with ti.tm.example.com as sub domain

• tree - st.example.com with gl.sa.example.com as sub domains.

In this scenario, if a client in “ti.tm.example.com” tries to access resources in

“gl.sa.example.com” without configuring stub zones, multiple DNS servers will have to

be contacted in the following order:

ti.tm.example.com > tm.example.com > example.com > st.example.com >

gl.sa.example.com.

However, if you create a stub zone in “ti.tm.example.com”, the stub zone will contain the

list of authoritative DNS servers for the zone and queries from “ti.tm.example.com” can

be directly sent to “gl.sa.example.com”.

To create a stub zone

1 Go to DNS > DNS > Forwarding.

2 Under DNS Stub Zones, click Create New.

3 For Domain, enter the target domain name for which you want to create a stub zone.

Stub domain names must contain valid reverse lookup addresses such as

5.2.1.192.in-addr.arpa or 100.10.1.1ip6.arpa.

4 Under Name Servers, click Add another name server.

5 Enter the IP address of one of the name servers on the target domain’s network.

Repeat if you have more name servers for this domain to add.

6 Click OK.

Configuring UDP packet size

DNS Security Extensions (DNSSEC) is a standard security protocol designed to ensure

the integrity of the domain name space. it is the only method to detect if your domain

name is hijacked.

When sending queries using Extension Mechanisms for DNS (EDNS) such as DNSSEC,

FortiDNS can reassemble packets of up to a specified length. This option is useful if a

firewall or other network device is causing IP fragments to be dropped, which would

result in timeouts and/or failures of resolutions involving large packets.

The default packet length is 4000 bytes. The maximum is also 4000 bytes, and the

minimum is 512 bytes.

To configure UDP packet size

1 Go to DNS > DNSSEC > General.

2 Select Use DNSSEC if you want to send queries using DNSSEC.

3 Enter the maximum UDP packet size in byte.

4 Click OK.




DNS service Entering trust anchor keys

F

4

h

Entering trust anchor keys

DNSSEC validation requires that a caching server, such as FortiDNS, know trust anchor

key for the root DNS domain in order to validate already signed responses. Theoretically,

trust anchor keys do not change often, but they do change occasionally, and may

change unexpectedly in the event the keys are compromised.

For information about how to securely obtain the root zone keys, see the ICANN

publication DNSSEC Trust Anchor Publication for the Root Zone available at

http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt in either text or

HTML format. The directory http://data.iana.org/root-anchors/ also contains the other

data you will need to obtain the root key securely.

To enter a trust anchor key on FortiDNS

1 Go to DNS > DNSSEC > Trust Anchor Keys.

2 Click Create New.

3 For Domain, enter the root DNS domain name of which that you want FortiDNS to

validate the already signed responses.

An authenticated root DNS domain allows authentication of all domains (zones) below

it in the domain name hierarchy. For example, the trusted key for example.com also

authenticates the zone sub.example.com.

4 In the Key field, paste the trust anchor key string of the root DNS domain to be used

by FortiDNS to validate the already signed responses.

5 Click OK.

Disabling DNSSEC for a domain

You can disable the DNSSEC validation for a domain, even if the domain supports it.

To disable DNSSEC for a domain

1 Go to DNS > DNSSEC > Negative Trust Anchors.

2 Click Create New.

3 Enter the domain of which you want to disable DNSSEC.

4 Click OK.




http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt

http://data.iana.org/root-anchors/

Logging Search button

FortiDNS Version 1.1 Setup and Administration Guide

4th Edition 25http://docs.fortinet.com/ • Document feedback

LoggingLogging provides a record of the events that have taken place on the FortiDNS.

To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help

you search your logs for the information you need.


• Search button

• Log entry order

• Log type reference

• Exporting the log

Search button

You can enter a string to search for in the log entries. The string must appear in the

Message portion of the log entry to result in a match for the search. To prevent each term

in a phrase from being matched separately, multiple keywords must be in quotes and be

an exact match.

After the search is complete next to the Search button the number of positive matches

will be displayed, with the total number of log entries in brackets following. Select the

total number of log entries to return to the full list. Subsequent searches will search all log

entries and not just the previous search’s matches.

Log entry order

You can change the order used to display the log entries. To sort the log entries by a

particular column, such as Timestamp, select the title for that column. The log entries will

now be displayed based on data in that column in ascending order. Ascending or

descending is displayed with an arrow next to the column title — up arrow for ascending,

and down arrow for descending.

Log type reference

There are Admin Configuration, Authentication, System, and User Portal events. Each of

these have multiple log message types for each major event. To see the various types of

log messages, go to Logging > Log Access > Logs and select Log Type Reference.

On this page, you can search for the exact text of a specific log message. The search will

return any matches in any columns.

Exporting the log

You can select Download Raw Log to export the FortiDNS log as a text file named

fns.log.


Index

FortiDNS Version 1.1 Setup and Administration Guide4th Edition 26http://docs.fortinet.com/ • Document feedback

Index

Ccache poisoning attack, 20clock, 17CPU usage, 17

Ddefault

password, 6DNS request summary, widget, 17

Ffirmware

version, 17firmware updates, 7FortiGuard, 14FortiGuard Antivirus, 7FortiToken, 13

clock drift, 14monitoring, 14registering, 14synchronization, 14

Iinstallation, 6

Mmemory usage, 17

Oone-time password (OTP), 13outbound queries

configuring, 20

Ppassword

administrator, 6

product registration, 7

Qquery

SNMP, 16

RRFC

1213, 142665, 14

Sserial number, 17SNMP

community, 15event, 15manager, 15, 16query, 16

system information, widget, 16system resources, widget, 17

Ttechnical support, 7top clients, widget, 17top domains, widget, 17troubleshooting, 17two-factor authentication

FortiToken, 13

Wwidget

DNS request summary, 17system information, 16system resources, 17top clients, 17top domains, 17

http://docs.fortinet.com/


fortidns version 1.1 setup and administration...

Documents