Configure DNS Settings

FortiGate uses DNS for: looking up FortiGuard signatures, resolving FQDN-based firewall objects, providing DNS to clients when acting as DHCP server, and other internal lookups. Configure your preferred resolvers and the FortiGate itself doesn't depend on FortiGuard's DNS (faster, more reliable).

Before You Start

• Two reliable DNS resolvers (e.g. 1.1.1.1 + 8.8.8.8).
• Whether you want the FortiGate to be a DNS server for your LAN (lets it intercept and filter DNS).

Steps

System DNS resolvers (for the FortiGate itself)

1. Network → DNS.
2. DNS Settings:
   • Primary DNS Server — 1.1.1.1
   • Secondary DNS Server — 8.8.8.8
   • Local Domain Name — optional, e.g. office.local.
3. DNS Protocol:
   • UDP is standard.
   • DoH (DNS over HTTPS) and DoT (DNS over TLS) are supported for encrypted lookups — useful if your upstream supports them.
4. Click Apply.

FortiGate as a DNS Server for LAN clients

1. Network → DNS → toggle DNS Service on Interface on.
2. Pick the interface(s) (e.g. internal).
3. Mode:
   • Recursive — FortiGate resolves recursively itself.
   • Forward to System DNS — FortiGate forwards client queries to the upstream resolvers configured above.
   • Non-Recursive — only answer for configured DNS database entries.
4. Apply.

Then update your DHCP scope to hand out the FortiGate's interface IP as the DNS server (see Set Up a DHCP Server).

DNS Database (local DNS records)

For internal hostnames you want resolvable on your network:

1. Network → DNS → DNS Database.
2. + Create New zone:
   • Name — e.g. office.local.
   • Type — Master.
   • View — Shadow (LAN-only) or Public.
3. Add A records for each internal host (NAS, printer, internal app).
4. Apply.

CLI Equivalent

config system dns
    set primary 1.1.1.1
    set secondary 8.8.8.8
    set domain "office.local"
end

config system dns-server
edit "internal"
    set mode forward-only
next
end

Verify

# From the FortiGate:
execute ping google.com
execute nslookup google.com

# Show resolver config:
get system dns

From a client (with the FortiGate as its DNS):

nslookup google.com <fortigate-ip>

Should return Google's IPs.

Common Issues

• Resolution fails on FortiGate. Upstream DNS unreachable, or DNS protocol blocked. Test: execute ping 1.1.1.1 (should succeed if WAN is up). If reach works but resolution fails, try DoH or change resolver.
• Clients get FortiGate as DNS but resolution is slow. FortiGate forwarding to upstream — latency adds up. Use FortiGate's recursive mode, or point clients at upstream directly.
• DNS Database zone not authoritative for external queries. Expected — Shadow view is internal-only. Don't put real public records in a Shadow zone.
• Wildcard / unusual records. FortiOS DNS Database supports A, AAAA, NS, MX, CNAME, PTR, SRV, TXT — see GUI dropdown for the current set.

Related Pages

• Configure a Network Interface
• Set Up a DHCP Server
• Configure DNS Filtering