fortidns version 1.1 setup and administration...
TRANSCRIPT
FortiDNS Version 1.1
Setup and Administration Guide
FortiDNS Version 1.1 Setup and Administration Guide
August 3, 2012
4th Edition
Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
Contents
F
4
h
Contents
Introduction 5
Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Setting up FortiDNS 8
Installing FortiDNS hardware platforms . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installing FortiDNS-VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
FortiDNS-VM image installation and initial setup . . . . . . . . . . . . . . . . . . 8
Administrative access - VM and hardware . . . . . . . . . . . . . . . . . . . . . . . . 9
Web-based manager access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Managing system administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
One-factor or two-factor authentication . . . . . . . . . . . . . . . . . . . . . . 10
Setting the system time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configuring network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Upgrading the firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Backing up and restoring configuration . . . . . . . . . . . . . . . . . . . . . . 12
Installing a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Adding FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
FortiDNS and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Monitoring FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
FortiToken device maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring SNMP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring an SNMP threshold . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuring an SNMP v1 and v2c community. . . . . . . . . . . . . . . . . 15
Configuring an SNMP v3 user . . . . . . . . . . . . . . . . . . . . . . . . . 16
Monitoring FortiDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
System Information widget. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
System Resources widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Top Clients widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
DNS Request Summary widget . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Top Domains widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
DHCP server configuration 18
DNS service 20
Configuring outbound queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 3ttp://docs.fortinet.com/ • Document feedback
Contents
F
4
h
Configuring access control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Blacklisting IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring DNS forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring conditional forwarding . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating stub zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuring UDP packet size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Entering trust anchor keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Disabling DNSSEC for a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Logging 25
Search button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Log entry order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Exporting the log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Index 26
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 4ttp://docs.fortinet.com/ • Document feedback
Introduction
F
4
h
IntroductionWelcome and thank you for selecting Fortinet products for your network protection.
Domain Name System (DNS), the method of translating names to device IP addresses, is
the lifeblood of the internet. Without it, e-mail cannot be sent, web sites cannot be found
and access to the internet in general grinds to a halt. If compromised, DNS can open an
organization up to attack and subversion via the redirection of users to malicious content.
It is one of the most critical but often overlooked components of business continuity.
The problem with DNS is that it is complicated, prone to misconfiguration, and requires
interaction at the command line. FortiDNS has been designed as a highly secure caching
DNS system to replace existing legacy solutions and is 100% GUI based to reduce the
risk of configuration error.
FortiDNS is built with security in mind. In keeping with other Fortinet solutions, security is
the key requirement of the FortiDNS solution, and to achieve this, Fortinet have partnered
with Nominum, one of the leading DNS solutions providers to power the core of the
solution. Developed by Fortinet and powered by Nominum, FortiDNS introduces
significant security benefits including:
• Hardened appliance format with GUI driven configuration significantly reduces the
complexity of deployment and reduces operational overheads.
• “Powered by Nominum” delivers market leading carrier class DNS to the enterprise
• High performance DNS caching speeds up name resolution and ultimately network
performance
• Strengthens enterprise security with a highly secure implementation supporting
methods including:
• Transaction ID Randomization
• UDP Source Port Randomization
• Case (query name) Randomization
• IPv6 and DNSSEC support enables deployment with confidence that future
requirements will be covered.
• Integrates with FortiToken two-factor authentication to enable secure remote
management
Figure 1 shows the workflow of the FortiDNS.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 5ttp://docs.fortinet.com/ • Document feedback
Introduction Scope
F
4
h
Figure 1: FortiDNS workflow
This section includes:
• Scope
• Registering your Fortinet product
Scope
This document describes how to use the FortiDNS web-based manager. It assumes you
have already successfully installed the FortiDNS by following the instructions in the
QuickStart Guide and “Installing FortiDNS hardware platforms” on page 8 and “Installing
FortiDNS-VM” on page 8.
At this stage:
• You have administrative access to the web-based manager and/or CLI.
• The FortiDNS is integrated into your network.
• Firmware update has been completed.
Once that basic installation is complete, you can use this document. This guide explains
how to use the web-based manager to:
• maintain the FortiDNS, including backups
• configure basic items such as system time, DNS settings, administrator password,
and network interfaces
• configure advanced features, such as DNS service and logging
Step 1: What is the IP of www.example.com?
FortiDNS
Root Server
Step 2: Where to find the IP of www.example.com?
Step 3: Go and check the .com namespace.
.com Namespace
Step 5: Go and check the example.com nameserver.
Step 4: What is the IP of www.example.com?
example.comPrimary Server Step 6: What is the IP of
www.example.com?
Step 7: The IP of www.example.comis 100.10.1.2.
Step 8: The IP of www.example.comis 100.10.1.2.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 6ttp://docs.fortinet.com/ • Document feedback
Introduction Registering your Fortinet product
F
4
h
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 7ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Installing FortiDNS hardware platforms
F
4
h
Setting up FortiDNSThe following section provides information about setting up the VMware (VM) version of
the product (FortiDNS-VM).
This section includes:
• Installing FortiDNS hardware platforms
• Installing FortiDNS-VM
• Administrative access - VM and hardware
• Managing system administrators
• Setting the system time
• Configuring network settings
• System maintenance
• Adding FortiToken devices
• Configuring SNMP settings
• Monitoring FortiDNS
Installing FortiDNS hardware platforms
For information about installing the FortiDNS hardware platforms, see the QuickStart
Guides provided with your unit.
Installing FortiDNS-VM
Before using FortiDNS-VM, you need to install the VMware application to host the
FortiDNS-VM device. The installation instructions for FortiDNS-VM assume you are
familiar with VMware products and terminology.
This section includes:
• System requirements
• FortiDNS-VM image installation and initial setup
System requirements
The minimum system requirements for a computer running the FortiDNS VM image
include:
• Installed latest version of VMware Player, Fusion, Workstation, or Server.
• 512 MB of RAM minimum
• one virtual NIC minimum, to a maximum of four virtual NICs
• minimum of 3 GB free space
FortiDNS-VM image installation and initial setup
The following procedure describes setup on VMware Fusion.
To set up the FortiDNS-VM image
1 Download the VM image ZIP file to the local computer where VMware is installed.
2 Expand the ZIP file into a folder.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 8ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Administrative access - VM and hardware
F
4
h
3 In VMware Fusion, go to File > Open.
4 Navigate to the expanded VM image folder, select the FortiDNS-VM.vmx file and
select Open.
VMware will install and start FortiDNS-VM. This can take a minute.
5 At the FortiDNS login prompt, enter admin and press Enter. At the password prompt,
press Enter. By default, there is no password.
6 At the CLI prompt enter the following commands:
set port1-ip 192.168.1.99/24set default-gw 192.168.1.1
Substitute your own desired FortiDNS IP address and default gateway.
You can now connect to the web-based manager at the address you set for port1-ip.
Administrative access - VM and hardware
Administrative access is enabled by default on port 1.
This section includes:
• Web-based manager access
• Telnet
• SSH
Web-based manager access
To use the web-based manager, point your browser to the Port1 IP address (default
address is 192.168.1.99). For example,
http://192.168.1.99Enter admin as the User Name and leave the Password field blank.
For secure access, you can enter https instead of http in the URL.
Telnet
CLI access is available using telnet to the Port1 interface IP address, default
192.168.1.99. Use the telnet -K option (for Linux/Unix) so that telnet does not attempt to
log on using your user ID. For example:
$ telnet -K 192.168.1.99At the FortiDNS login prompt, enter admin. When prompted for password, just press
Enter. By default there is no password. When you are finished, use the exit command to
end the telnet session.
SSH
SSH provides secure access to the CLI. Connect to the Port1 interface IP address,
default 192.168.1.99. Specify the user name admin or SSH will attempt to log on with
your user name. For example:
$ ssh [email protected] the password prompt, just press Enter. By default there is no password. When you are
finished, use the exit command to end the session.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 9ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Managing system administrators
F
4
h
Managing system administrators
Before you start to use FortiDNS, it is recommended you change the default admin’s
password or add a new administrator. By default, the default admin user does not have a
password.
This section includes:
• One-factor or two-factor authentication
To change the administrator’s password
1 Log on to the web-based manager.
2 Go to System > Admin > Administrators.
3 Select the administrator of which you want to change the password.
4 Click Change Password.
5 Enter a new password and confirm it.
6 Click OK.
To add a new administrator
1 Log on to the web-based manager.
2 Go to System > Admin > Administrators and click Create New.
3 Enter the user name, password, and confirm the password.
4 Click OK.
5 Select Two-factor authentication and a security token.
For more information, see “One-factor or two-factor authentication” on page 10.
6 Collapse User Information and enter the information required.
7 Collapse Password Recovery Options.
8 Select Email to send the recovered password to the email address entered in User
Information or to other email addresses entered by clicking Manage alternative emails.
9 Select Security Question and click Edit to enter a security question answer, and click
OK.
10 Click OK.
One-factor or two-factor authentication
The standard logon requires the user to know the password. This is one-factor
authentication. Two-factor authentication adds the requirement for another piece of
information for logon. Generally the two factors are something you know (password) and
something you have (certificate, token). This increases the difficulty for an unauthorized
person to impersonate a legitimate user.
The FortiDNS unit supports FortiToken devices for the second factor in two-factor
authentication. For information about how to add a FortiToken device, see “Adding
FortiToken devices” on page 13.
Setting the system time
To use many of the FortiDNS feature, such as logging and FortiToken authentication, it is
critical to set the system time accurately.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 10ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Configuring network settings
F
4
h
To set the system time
1 Log on to the web-based manager.
2 Go to System > Dashboard > Status.
3 In System Information, select Change in the System Time field.
4 Select your time zone from the list.
5 Either enable NTP or set the date/time manually.
Enter a new time and date by either typing it manually, selecting Today or Now, or
select the calendar or clock icons for a more visual method of setting the date and
time.
6 Click OK.
Configuring network settings
For the client users to access FortiDNS, you must configure FortiDNS IP address and
gateway IP, and allow user access on the interfaces.
To initially setup FortiDNS on your network
1 Log on to the web-based manager.
2 Go to System > Network > Interfaces to set the IP address, subnet mask, and access
rights for each interface.
3 Click OK.
4 Go to System > Network > Default Gateway to set the gateway for each interface as
required.
5 Click OK.
System maintenance
System maintenance tasks are limited to changing the firmware, and backing up or
restoring the configuration file.
This section includes:
• Upgrading the firmware
• Backing up and restoring configuration
• Installing a license
• CLI commands
Upgrading the firmware
Firmware upgrades fix known issues, ensure features work as expected, and generally
improve your FortiDNS experience.
To upgrade the firmware, you must first register your FortiDNS with Fortinet. See
“Registering your Fortinet product” on page 7.
To upgrade FortiDNS firmware
1 Download the latest firmware to your local computer from the Fortinet Technical
Support web site, https://support.fortinet.com.
2 On FortiDNS, go to System > Maintenance > Firmware, or System > Dashboard >
Status and click Upgrade for Firmware Version.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 11ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS System maintenance
F
4
h
3 Select Browse, and locate the new firmware image on your local computer.
4 Select OK.
When you select OK, the new firmware image will upload from your local computer to the
FortiDNS, which will then reboot. You will experience a short period of time during this
reboot when the FortiDNS is offline.
Backing up and restoring configuration
You can back up the configuration of the FortiDNS to your local computer. This
configuration file backup includes both the CLI and web-based manager configuration of
the FortiDNS.
To restore the configuration of your FortiDNS, go to System > Maintenance > Config, or
System > Dashboard > Status and click Backup/Restore for System Configuration.
Browse to the location of the backup file on your local computer, and select Restore. You
will be prompted to confirm the restore action, and approve the reboot. Upon
confirmation a message will be displayed stating that the system is starting the restore
process. When the restore and system reboot is completed, you must login.
Installing a license
To be able to use FortiDNS, you must have a valid license. To obtain a license, contact
your FortiDNS reseller or Fortinet Technical Support.
To install a license
1 Go to System > Maintenance > License.
2 Click Browse to locate the license file on your local PC.
3 Click OK.
CLI commands
The FortiDNS has CLI commands that are accessed using a console, Telnet, or SSH
session port. Their purpose is to initially configure the unit, perform a factory reset, or
reset the values using a telnet session if the web-based manager is unaccessible for
some reason.
When you restore the backup file, it will overwrite existing information and require a
FortiDNS reboot. Any information changed since the backup will be lost. Any active
sessions will be ended and must be restarted. You will have to log back in when the
system reboots.
help Display list of valid CLI commands. You can also
enter ? for help.
set port1-ip <addr_ipv4mask>
Enter the IPv4 address and netmask for the port1
interface. Netmask is expected in the /xx format,
for example 192.168.0.1/24.
Once this port is configured, you can use the
web-based manager to configure the remaining
ports.
set default-gw <addr_ipv4> Enter the IPv4 address of the default gateway for
this interface. This is the default route for this
interface.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 12ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Adding FortiToken devices
F
4
h
Adding FortiToken devices
A FortiToken device is a disconnected one-time password (OTP) generator. It is a small
physical device with a button that when pressed displays a six digit authentication code.
This code is entered with a user’s username and password as two-factor authentication.
The code displayed changes every 60 seconds. When not in use the LCD screen is
blanked to extend the battery life.
The device has a small hole in one end. This is intended for a lanyard to be inserted so
the device can be worn around the neck, or easily stored with other electronic devices.
Do not put the FortiToken on a key ring as the metal ring and other metal objects can
damage it. The FortiToken is an electronic device like a cell phone and should be treated
with similar care.
This section includes:
• FortiDNS and FortiTokens
• Monitoring FortiToken devices
• FortiToken device maintenance
set date <YYYY-MM-DD> Enter the current date. Valid format is four digit
year, 2 digit month, and 2 digit day. For example
set date 2011-08-12 sets the date to August 12th,
2011.
set time <HH:MM:SS> Enter the current time. Valid format is two digits
each for hours, minutes, and seconds. 24-hour
clock is used. For example 15:10:00 is 3:10pm.
set tz <timezone_index> Enter the current time zone using the time zone
index. To see a list of index numbers and their
corresponding time zones, enter set tz ? .
unset <setting> Restore default value. For each set command
listed above, there is an unset command, for
example unset port1-ip.
show Display current settings of port1 IP, netmask,
default gateway, and time zone.
exit Terminate the CLI session.
reboot Perform a hard restart the FortiDNS unit. All
sessions will be terminated. The unit will go offline
and there will be a delay while it restarts.
factory-reset Enter this command to reset the FortiDNS
settings to factory default settings. This includes
clearing the user database.
This procedure deletes all changes that you have
made to the FortiDNS configuration and reverts
the system to its original configuration, including
resetting interface addresses.
shutdown Turn off the FortiDNS.
status Display basic system status information including
firmware version, build number, serial number of
the unit, and system time.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 13ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Configuring SNMP settings
F
4
h
FortiDNS and FortiTokens
If you enable two-factor authentication when adding an administrator (see “Managing
system administrators” on page 10), you must enter the FortiToken serial number to the
FortiDNS unit, which then contacts Fortinet FortiGuard servers to verify the information
before activating the FortiToken device.
To add FortiToken devices
1 Go to System > Admin > FortiTokens.
2 Select Create New and enter the FortiToken device serial number. If there are multiple
numbers to enter, select the + icon to switch to a resizable multiple-line entry box.
3 Select OK.
Monitoring FortiToken devices
To monitor the total number of FortiToken devices registered on the FortiDNS unit, as well
as the number of disabled FortiTokens, go to System > Admin > FortiTokens.
You can also view the list of FortiTokens, their status, if their clocks are drifting, and which
user they are assigned to.
FortiToken device maintenance
Go to System > Admin > FortiTokens and select Edit for the device. Do any of the
following:
• Disable a device when it is reported lost or stolen.
• Re-enable a device when it is recovered.
• Synchronize the FortiDNS and the FortiToken device when the device clock has
drifted. Synchronizing ensures that the device provides the token code that the
FortiDNS unit expects, as the codes are time-based. Fortinet recommends
synchronizing all new FortiTokens.
Configuring SNMP settings
Go to System > Admin > SNMP to configure SNMP to monitor FortiDNS system events
and thresholds.
To monitor FortiDNS system information and receive FortiDNS traps, you must compile
Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP
manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and
most of RFC 1213 (MIB II).
The FortiDNS SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant
SNMP managers have read-only access to FortiDNS system information and can receive
FortiDNS traps.
The FortiDNS SNMP v3 implementation includes support for queries, traps,
authentication, and privacy. Before you can use its SNMP queries, you must enable
SNMP access on the network interfaces that SNMP managers will use to access the
FortiDNS. For more information, see “Configuring network settings” on page 11.
This section includes:
To register FortiToken devices, you must have a valid FortiGuard connection. Otherwise
any FortiToken devices you enter will remain at Inactive status.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 14ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Configuring SNMP settings
F
4
h
• Configuring an SNMP threshold
Configuring an SNMP threshold
Configure under what circumstances an event is triggered.
To set SNMP thresholds
1 Go to System > Admin > SNMP.
2 Configure the following:
3 Click Apply if you set any threshold levels.
Configuring an SNMP v1 and v2c community
An SNMP community is a grouping of equipment for SNMP-based network
administration purposes. You can add up to three SNMP communities so that SNMP
managers can connect to the FortiDNS to view system information and receive SNMP
traps. You can configure each community differently for SNMP traps and to monitor
different events. You can add the IP addresses of up to eight SNMP managers to each
community.
To configure an SNMP community
1 Go to System > Admin > SNMP.
2 Under SNMP v1/v2c, click Create New to add a community or select a community
and click Edit.
The SNMP Community page appears.
3 Configure the following:
GUI item Description
Description Enter a descriptive name for the FortiDNS.
Location Enter the location of the FortiDNS.
Contact Enter administrator contact information.
CPU utilization
trap threshold
Enter the percentage a trigger value is reached before triggering a CPU utilization trap. The default value is 90.
Memory
utilization trap
threshold
Enter the percentage a trigger value is reached before triggering a memory utilization trap. The default value is 90.
DNS client trap
threshold
Enter the number of DNS clients to be reached before triggering a DNS client trap. The default value is 0.
DNS request rate
trap threshold
Enter the number of DNS queries per second to be reached before triggering a DNS request rate trap. The default value is 0.
GUI item Description
Community
name
Enter a name to identify the SNMP community. If you are editing an existing community, you cannot change the name.
Event Enable each SNMP event for which the FortiDNS should send traps to the SNMP managers in this community.
SNMP Hosts Lists SNMP managers that can use the settings in this SNMP community to monitor the FortiDNS. Click Add another SNMP host to create a new entry.
IP/Netma
sk
Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP community.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 15ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Monitoring FortiDNS
F
4
h
4 Click OK.
Configuring an SNMP v3 user
SNMP v3 adds more security by using authentication and privacy encryption. You can
specify an SNMP v3 notification host to which the FortiDNS sends traps.
To configure an SNMP v3 user
1 Go to System > Admin > SNMP.
2 Under SNMPv3, click Create New to add a user or select a user and click Edit.
The SNMPv3 User page appears.
3 Configure the following:
4 Click OK.
Monitoring FortiDNS
Go to System > Dashboard > Status to display the following FortiDNS system
information. You can add a widget by clicking the Add Widget button or close a widget by
clicking the Close icon (X mark) on the widget.
This section includes:
• System Information widget
• System Resources widget
• Top Clients widget
• DNS Request Summary widget
• Top Domains widget
System Information widget
The System Information widget displays the serial number and basic system statuses
such as the host name, serial number, firmware version, system time, and up time.
In addition to displaying basic system information, you can also configure the system
time, firmware version, system configuration, and shutting down or rebooting the
FortiDNS.
Queries Mark the check box to activate queries for each SNMP version.
Traps Select the check box to enable traps for each SNMP version that the SNMP managers use.
Delete
(X icon)
Click to remove this SNMP manager.
GUI item Description
GUI item Description
SNMP
Notification
Hosts
Lists the SNMP managers that FortiDNS sends traps to. Click Add Another SNMP notification host to create a new entry.
IP
Address
Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP user.
Delete
(X icon)
Click to remove this SNMP manager.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 16ttp://docs.fortinet.com/ • Document feedback
Setting up FortiDNS Monitoring FortiDNS
F
4
h
System Resources widget
The System Resources widget displays the CPU and memory usage levels over time.
Top Clients widget
The Top Clients widget displays the IP addresses that requested the most DNS service
over time. You can blacklist any top DNS client from this widget.
DNS Request Summary widget
The DNS Request Summary widget displays the number of DNS service requests over
time.
Top Domains widget
The Top Domains widget displays the most-visited domains over time.
Table 1: System Information widget
GUI item Description
Host Name The host name of the FortiDNS
Serial Number The serial number of the FortiDNS. The serial number is specific to the FortiDNS hardware and does not change with firmware upgrades. Use this number when registering the hardware with Fortinet Technical Support.
System Time The current date and time according to the FortiDNS’s internal clock.
Click Change to change the time or configure the FortiDNS to get the time from an NTP server. See “Setting the system time” on page 10.
Firmware Version The version of the firmware currently installed on the FortiDNS.
Click Upgrade to install firmware. See “Upgrading the firmware” on page 11.
System
Configuration
The time when the system configuration settings were backed up.
Click Backup/Restore to backup or restore the configuration. See “Backing up and restoring configuration” on page 12.
Current
Administrator
The FortiDNS administrator currently logged on to the system. To configure the administrators, see “Managing system administrators” on page 10.
Uptime The time in days, hours, and minutes since the FortiDNS was started.
Shutdown/Reboot Click to close or restart the FortiDNS operating system.
Vantio License The validity of the Vantio NXR Service Delivery Module license.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 17ttp://docs.fortinet.com/ • Document feedback
DHCP server configuration
F
4
h
DHCP server configurationA DHCP server provides an address to a client on the network, when requested, from a
defined address range.
You can configure one or more DHCP servers on FortiDNS. A DHCP server dynamically
assigns IP addresses to hosts on the network connected to FortiDNS. The host
computers must be configured to obtain their IP addresses using DHCP.
FortiDNS DHCP server supports IPV4 and IPv6.
To configure a DHCP server
1 Go to DHCP > DHCP > Config.
2 Click Create New.
3 Configure the following:
GUI item Description
General
Enable Select to activate this DHCP server.
Name Enter a name for this DHCP server.
Lease time Set the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client request for an IP address.
Lease format Select a format for lease time.
Network Enter the DHCP subnet.
Netmask Enter the netmask of the addresses that the DHCP server assigns.
Search domain Enter the domain that the DHCP server assigns to clients.
Default Gateway Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
DNS #1 Add the IP address of the first DNS server that the DHCP server assigns to DHCP clients.
DNS #2 Add the IP address of the second DNS server that the DHCP server assigns to DHCP clients.
DNS #3 Add the IP address of the third DNS server that the DHCP server assigns to DHCP clients.
DHCP Ranges
Add Another
DHCP Range
Click the plus (+) sign to add a DHCP range.
Configuration
Type
If you select IP Range, enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients.
If you select Network, enter the subnet of this DHCP server.
DHCP Reservations
Add Another
DHCP
Reservation
Click the plus (+) sign to add a DHCP reservation.
Name Enter the name for the DHCP reservation.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 18ttp://docs.fortinet.com/ • Document feedback
DHCP server configuration
F
4
h
4 Click OK.
IP Address Enter the IP address from the DHCP server to match a specific client or device using its MAC address.
In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address, that is, there is no lease time, use IP reservation.
MAC/Device ID Enter the MAC address of the client to which you want to match the IP address from the DHCP server.
Description Optionally, add a note about this DHCP reservation.
GUI item Description
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 19ttp://docs.fortinet.com/ • Document feedback
DNS service Configuring outbound queries
F
4
h
DNS serviceDNS is designed to be open and distributed and uses the User Datagram Protocol (UDP).
Therefore it is vulnerable to various forms of attack. FortiDNS provides a set of protective
measures.
This section contains the following topics:
• Configuring outbound queries
• Configuring access control rules
• Blacklisting IP addresses
• Configuring DNS forwarding
• Configuring UDP packet size
• Entering trust anchor keys
• Disabling DNSSEC for a domain
Configuring outbound queries
You can configure the Internet protocols the FortiDNS uses when sending queries to the
name servers. You can also enable query case randomization to protect against cache
poisoning attacks.
Because of the important role of DNS for Internet navigation, attackers use a variety of
tricks to compromise it, such as cache poisoning attacks. Such attacks attempt to
replace legitimate DNS data with fake DNS data to control users’ Internet navigation. For
example, if an attacker can insert a fake record for a bank’s website, they could secretly
intercept the bank’s traffic.
To configure outbound queries
1 Go to DNS > DNS > General.
2 Select Use query case randomization if required.
Query case randomization is a technique used to make DNS queries more resistant to
poisoning attacks by mixing the upper and lower case spelling of the domain name in
the query, such as converting www.example.com into wWw.eXaMpLe.CoM. Since
most name servers preserve the mixed case-encoding in the answer that they send,
attackers trying to poison a DNS cache must therefore guess the mixed-case
encoding of the query, on top of all other fields required in a DNS poisoning attack.
This increases the difficulty of the attack.
3 In the Outbound queries field, choose an Internet protocol for sending queries to the
name servers.
4 Click OK.
Configuring access control rules
Use the access control list (ACL) to allow or block client access to the FortiDNS
interfaces.
To create an access control rule
1 Go to DNS > DNS > ACL.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 20ttp://docs.fortinet.com/ • Document feedback
DNS service Blacklisting IP addresses
F
4
h
2 Click Create New.
3 For Title, enter a rule title.
4 Optionally enter a description.
5 For Access, select Allow or Block.
6 Enter the source IP to allow or block. Use the netmask, the portion after the slash (/) to
specify the matching subnet. For example, enter 10.10.10.10/24 to match a 24-bit
subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in
the access control rule table, with the 0 indicating that any value is matched in that
position of the address.
Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the
10.10.10.10 address.
To match any address, enter 0.0.0.0/0.
7 Select the interface to apply the rule.
8 Click OK.
Blacklisting IP addresses
You can blacklist IP addresses and do not allow them to access FortiDNS.
To create a black list
1 Go to DNS > DNS > Blacklist.
2 Click Create New.
3 For Title, enter a rule title.
4 Enter the source IP to block. Use the netmask, the portion after the slash (/) to specify
the matching subnet. For example, enter 10.10.10.10/24 to match a 24-bit subnet, or
all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access
control rule table, with the 0 indicating that any value is matched in that position of the
address.
Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the
10.10.10.10 address.
5 Click OK.
Configuring DNS forwarding
You can configure the FortiDNS to forward the queries they cannot resolve locally to
another DNS server - the forwarder. By using a forwarder, you can manage name
resolution for names outside of your network, such as names on the Internet, and
improve the efficiency of name resolution for the hosts in your network. DNS forwarding
also adds extra privacy to your network because all requests come from one point and
exposed details about the network internals are reduced.
You can configure conditional forwarding (forwarding rules) or create stub zones for DNS
forwarding:
• Conditional forwarding can be applied to resolve Internet names or when your
organization has a DNS server responsible for your entire namespace.
• Stub zones are used if you want a DNS server hosting a parent zone to keep a current
list of the authoritative DNS servers for the child zones. As authoritative DNS servers
are added and removed, the list is automatically updated.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 21ttp://docs.fortinet.com/ • Document feedback
DNS service Configuring DNS forwarding
F
4
h
This section includes:
• Configuring conditional forwarding
• Creating stub zones
Configuring conditional forwarding
Configure a conditional forwarder to handle name resolution only for a specific domain.
Typically, a conditional forwarder is used if your network has a dedicated forwarder DNS
server that handles all DNS requests that need to be resolved on the public Internet. You
can configure the FortiDNS forwarding rule to point to such a forwarder.
FortiDNS has a default forwarder with the domain name Root which applies to all
domains contained in the queries. This option helps alleviate the workload on the DNS
forwarder because FortiDNS caches some answers. FortiDNS only sends the queries to
the forwarder when it cannot find the answers from its cache.
In addition to the default forwarder, you can configure other specific forwarders to deal
with name resolutions for some specific domains that you feel necessary. For example,
you can configure the FortiDNS to forward any requests in the domain “example.com”
directly to a specific name server that is authoritative for that domain. Such a
configuration can speed up the name resolution process by eliminating the need to use
the default forwarder in the first place.
To configure a conditional forwarder
1 Go to DNS > DNS > Forwarding.
2 Under DNS Forwarding Rules, click Create New.
3 For Domain, enter the domain name for which FortiDNS will forward queries.
4 Select a forwarding method:
• Forwarding only: FortiDNS will only forward the queries to the forwarder.
• Forwarding and/or default resolution: FortiDNS will use the default forwarder first
and forward the queries to the forwarder if it cannot find the answers from the
cache of the default forwarder.
• Disabled: FortiDNS will not use the default forwarder or forward any queries.
5 Under Name Servers, click Add another name server.
6 Enter the IP address of the forwarder for the domain name specified. Repeat if you
have more forwarders for this domain to add.
7 Click OK.
Creating stub zones
Compared with conditional forwarding, a stub zone’s advantage is that its information is
dynamic. In the case of conditional forwarding, whenever the authoritative DNS servers
for the child zone changes, the conditional forwarder setting on the DNS server hosting
the parent zone will need to be manually configured with the IP address for each new
authoritative DNS server for the child zone.
You cannot remove a default forwarder, although you can modify its forwarding method
and forwarder address.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 22ttp://docs.fortinet.com/ • Document feedback
DNS service Configuring UDP packet size
F
4
h
If you have multiple levels of domain hierarchy, you can use stub zones to simplify name
resolution instead of DNS servers querying the root server. For example, you have the
following domain hierarchy:
• forest - example.com
• tree - tm.example.com with ti.tm.example.com as sub domain
• tree - st.example.com with gl.sa.example.com as sub domains.
In this scenario, if a client in “ti.tm.example.com” tries to access resources in
“gl.sa.example.com” without configuring stub zones, multiple DNS servers will have to
be contacted in the following order:
ti.tm.example.com > tm.example.com > example.com > st.example.com >
gl.sa.example.com.
However, if you create a stub zone in “ti.tm.example.com”, the stub zone will contain the
list of authoritative DNS servers for the zone and queries from “ti.tm.example.com” can
be directly sent to “gl.sa.example.com”.
To create a stub zone
1 Go to DNS > DNS > Forwarding.
2 Under DNS Stub Zones, click Create New.
3 For Domain, enter the target domain name for which you want to create a stub zone.
Stub domain names must contain valid reverse lookup addresses such as
5.2.1.192.in-addr.arpa or 100.10.1.1ip6.arpa.
4 Under Name Servers, click Add another name server.
5 Enter the IP address of one of the name servers on the target domain’s network.
Repeat if you have more name servers for this domain to add.
6 Click OK.
Configuring UDP packet size
DNS Security Extensions (DNSSEC) is a standard security protocol designed to ensure
the integrity of the domain name space. it is the only method to detect if your domain
name is hijacked.
When sending queries using Extension Mechanisms for DNS (EDNS) such as DNSSEC,
FortiDNS can reassemble packets of up to a specified length. This option is useful if a
firewall or other network device is causing IP fragments to be dropped, which would
result in timeouts and/or failures of resolutions involving large packets.
The default packet length is 4000 bytes. The maximum is also 4000 bytes, and the
minimum is 512 bytes.
To configure UDP packet size
1 Go to DNS > DNSSEC > General.
2 Select Use DNSSEC if you want to send queries using DNSSEC.
3 Enter the maximum UDP packet size in byte.
4 Click OK.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 23ttp://docs.fortinet.com/ • Document feedback
DNS service Entering trust anchor keys
F
4
h
Entering trust anchor keys
DNSSEC validation requires that a caching server, such as FortiDNS, know trust anchor
key for the root DNS domain in order to validate already signed responses. Theoretically,
trust anchor keys do not change often, but they do change occasionally, and may
change unexpectedly in the event the keys are compromised.
For information about how to securely obtain the root zone keys, see the ICANN
publication DNSSEC Trust Anchor Publication for the Root Zone available at
http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt in either text or
HTML format. The directory http://data.iana.org/root-anchors/ also contains the other
data you will need to obtain the root key securely.
To enter a trust anchor key on FortiDNS
1 Go to DNS > DNSSEC > Trust Anchor Keys.
2 Click Create New.
3 For Domain, enter the root DNS domain name of which that you want FortiDNS to
validate the already signed responses.
An authenticated root DNS domain allows authentication of all domains (zones) below
it in the domain name hierarchy. For example, the trusted key for example.com also
authenticates the zone sub.example.com.
4 In the Key field, paste the trust anchor key string of the root DNS domain to be used
by FortiDNS to validate the already signed responses.
5 Click OK.
Disabling DNSSEC for a domain
You can disable the DNSSEC validation for a domain, even if the domain supports it.
To disable DNSSEC for a domain
1 Go to DNS > DNSSEC > Negative Trust Anchors.
2 Click Create New.
3 Enter the domain of which you want to disable DNSSEC.
4 Click OK.
ortiDNS Version 1.1 Setup and Administration Guide
th Edition 24ttp://docs.fortinet.com/ • Document feedback
Logging Search button
FortiDNS Version 1.1 Setup and Administration Guide
4th Edition 25http://docs.fortinet.com/ • Document feedback
LoggingLogging provides a record of the events that have taken place on the FortiDNS.
To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help
you search your logs for the information you need.
This section includes:
• Search button
• Log entry order
• Log type reference
• Exporting the log
Search button
You can enter a string to search for in the log entries. The string must appear in the
Message portion of the log entry to result in a match for the search. To prevent each term
in a phrase from being matched separately, multiple keywords must be in quotes and be
an exact match.
After the search is complete next to the Search button the number of positive matches
will be displayed, with the total number of log entries in brackets following. Select the
total number of log entries to return to the full list. Subsequent searches will search all log
entries and not just the previous search’s matches.
Log entry order
You can change the order used to display the log entries. To sort the log entries by a
particular column, such as Timestamp, select the title for that column. The log entries will
now be displayed based on data in that column in ascending order. Ascending or
descending is displayed with an arrow next to the column title — up arrow for ascending,
and down arrow for descending.
Log type reference
There are Admin Configuration, Authentication, System, and User Portal events. Each of
these have multiple log message types for each major event. To see the various types of
log messages, go to Logging > Log Access > Logs and select Log Type Reference.
On this page, you can search for the exact text of a specific log message. The search will
return any matches in any columns.
Exporting the log
You can select Download Raw Log to export the FortiDNS log as a text file named
fns.log.
Index
FortiDNS Version 1.1 Setup and Administration Guide4th Edition 26http://docs.fortinet.com/ • Document feedback
Index
Ccache poisoning attack, 20clock, 17CPU usage, 17
Ddefault
password, 6DNS request summary, widget, 17
Ffirmware
version, 17firmware updates, 7FortiGuard, 14FortiGuard Antivirus, 7FortiToken, 13
clock drift, 14monitoring, 14registering, 14synchronization, 14
Iinstallation, 6
Mmemory usage, 17
Oone-time password (OTP), 13outbound queries
configuring, 20
Ppassword
administrator, 6
product registration, 7
Qquery
SNMP, 16
RRFC
1213, 142665, 14
Sserial number, 17SNMP
community, 15event, 15manager, 15, 16query, 16
system information, widget, 16system resources, widget, 17
Ttechnical support, 7top clients, widget, 17top domains, widget, 17troubleshooting, 17two-factor authentication
FortiToken, 13
Wwidget
DNS request summary, 17system information, 16system resources, 17top clients, 17top domains, 17