FortiDNS Version 1.1 Setup and Administration Guide

FortiDNS Version 1.1 Setup and Administration Guide

August 3, 2012 4th Edition Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback docs.fortinet.com kb.fortinet.com support.fortinet.com training.fortinet.com fortiguard.com techdocs@fortinet.com

Contents Contents Introduction 5 Scope........................................... 6 Registering your Fortinet product............................ 7 Setting up FortiDNS 8 Installing FortiDNS hardware platforms......................... 8 Installing FortiDNS-VM.................................. 8 System requirements................................. 8 FortiDNS-VM image installation and initial setup.................. 8 Administrative access - VM and hardware........................ 9 Web-based manager access............................. 9 Telnet......................................... 9 SSH......................................... 9 Managing system administrators............................ 10 One-factor or two-factor authentication...................... 10 Setting the system time................................ 10 Configuring network settings.............................. 11 System maintenance.................................. 11 Upgrading the firmware.............................. 11 Backing up and restoring configuration...................... 12 Installing a license................................. 12 CLI commands................................... 12 Adding FortiToken devices............................... 13 FortiDNS and FortiTokens............................. 14 Monitoring FortiToken devices........................... 14 FortiToken device maintenance.......................... 14 Configuring SNMP settings............................... 14 Configuring an SNMP threshold.......................... 15 Configuring an SNMP v1 and v2c community................. 15 Configuring an SNMP v3 user......................... 16 Monitoring FortiDNS.................................. 16 System Information widget............................. 16 System Resources widget............................. 17 Top Clients widget................................. 17 DNS Request Summary widget.......................... 17 Top Domains widget................................ 17 DHCP server configuration 18 DNS service 20 Configuring outbound queries............................. 20 4th Edition 3

Contents Configuring access control rules............................ 20 Blacklisting IP addresses................................ 21 Configuring DNS forwarding.............................. 21 Configuring conditional forwarding........................ 22 Creating stub zones................................ 22 Configuring UDP packet size.............................. 23 Entering trust anchor keys............................... 24 Disabling DNSSEC for a domain............................ 24 Logging 25 Search button..................................... 25 Log entry order..................................... 25 Exporting the log.................................... 25 Index 26 4th Edition 4

Introduction Introduction Welcome and thank you for selecting Fortinet products for your network protection. Domain Name System (DNS), the method of translating names to device IP addresses, is the lifeblood of the internet. Without it, e-mail cannot be sent, web sites cannot be found and access to the internet in general grinds to a halt. If compromised, DNS can open an organization up to attack and subversion via the redirection of users to malicious content. It is one of the most critical but often overlooked components of business continuity. The problem with DNS is that it is complicated, prone to misconfiguration, and requires interaction at the command line. FortiDNS has been designed as a highly secure caching DNS system to replace existing legacy solutions and is 100% GUI based to reduce the risk of configuration error. FortiDNS is built with security in mind. In keeping with other Fortinet solutions, security is the key requirement of the FortiDNS solution, and to achieve this, Fortinet have partnered with Nominum, one of the leading DNS solutions providers to power the core of the solution. Developed by Fortinet and powered by Nominum, FortiDNS introduces significant security benefits including: Hardened appliance format with GUI driven configuration significantly reduces the complexity of deployment and reduces operational overheads. Powered by Nominum delivers market leading carrier class DNS to the enterprise High performance DNS caching speeds up name resolution and ultimately network performance Strengthens enterprise security with a highly secure implementation supporting methods including: Transaction ID Randomization UDP Source Port Randomization Case (query name) Randomization IPv6 and DNSSEC support enables deployment with confidence that future requirements will be covered. Integrates with FortiToken two-factor authentication to enable secure remote management Figure 1 shows the workflow of the FortiDNS. 4th Edition 5

Introduction Scope Figure 1: FortiDNS workflow Step 8: The IP of www.example.com is 100.10.1.2. Step 1: What is the IP of www.example.com? example.com Primary Server Step 7: The IP of www.example.com is 100.10.1.2. Step 6: What is the IP of www.example.com? FortiDNS Step 2: Where to find the IP of www.example.com? Step 3: Go and check the.com namespace. Root Server Step 5: Go and check the example.com nameserver. Step 4: What is the IP of www.example.com?.com Namespace This section includes: Scope Registering your Fortinet product Scope This document describes how to use the FortiDNS web-based manager. It assumes you have already successfully installed the FortiDNS by following the instructions in the QuickStart Guide and Installing FortiDNS hardware platforms on page 8 and Installing FortiDNS-VM on page 8. At this stage: You have administrative access to the web-based manager and/or CLI. The FortiDNS is integrated into your network. Firmware update has been completed. Once that basic installation is complete, you can use this document. This guide explains how to use the web-based manager to: maintain the FortiDNS, including backups configure basic items such as system time, DNS settings, administrator password, and network interfaces configure advanced features, such as DNS service and logging 4th Edition 6

Introduction Registering your Fortinet product Registering your Fortinet product Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. 4th Edition 7

Setting up FortiDNS Installing FortiDNS hardware platforms Setting up FortiDNS The following section provides information about setting up the VMware (VM) version of the product (FortiDNS-VM). This section includes: Installing FortiDNS hardware platforms Installing FortiDNS-VM Administrative access - VM and hardware Managing system administrators Setting the system time Configuring network settings System maintenance Adding FortiToken devices Configuring SNMP settings Monitoring FortiDNS Installing FortiDNS hardware platforms Installing FortiDNS-VM For information about installing the FortiDNS hardware platforms, see the QuickStart Guides provided with your unit. Before using FortiDNS-VM, you need to install the VMware application to host the FortiDNS-VM device. The installation instructions for FortiDNS-VM assume you are familiar with VMware products and terminology. This section includes: System requirements FortiDNS-VM image installation and initial setup System requirements The minimum system requirements for a computer running the FortiDNS VM image include: Installed latest version of VMware Player, Fusion, Workstation, or Server. 512 MB of RAM minimum one virtual NIC minimum, to a maximum of four virtual NICs minimum of 3 GB free space FortiDNS-VM image installation and initial setup The following procedure describes setup on VMware Fusion. To set up the FortiDNS-VM image 1 Download the VM image ZIP file to the local computer where VMware is installed. 2 Expand the ZIP file into a folder. 4th Edition 8

Setting up FortiDNS Administrative access - VM and hardware 3 In VMware Fusion, go to File > Open. 4 Navigate to the expanded VM image folder, select the FortiDNS-VM.vmx file and select Open. VMware will install and start FortiDNS-VM. This can take a minute. 5 At the FortiDNS login prompt, enter admin and press Enter. At the password prompt, press Enter. By default, there is no password. 6 At the CLI prompt enter the following commands: set port1-ip 192.168.1.99/24 set default-gw 192.168.1.1 Substitute your own desired FortiDNS IP address and default gateway. You can now connect to the web-based manager at the address you set for port1-ip. Administrative access - VM and hardware Administrative access is enabled by default on port 1. This section includes: Web-based manager access Telnet SSH Web-based manager access To use the web-based manager, point your browser to the Port1 IP address (default address is 192.168.1.99). For example, http://192.168.1.99 Enter admin as the User Name and leave the Password field blank. For secure access, you can enter https instead of http in the URL. Telnet SSH CLI access is available using telnet to the Port1 interface IP address, default 192.168.1.99. Use the telnet -K option (for Linux/Unix) so that telnet does not attempt to log on using your user ID. For example: $ telnet -K 192.168.1.99 At the FortiDNS login prompt, enter admin. When prompted for password, just press Enter. By default there is no password. When you are finished, use the exit command to end the telnet session. SSH provides secure access to the CLI. Connect to the Port1 interface IP address, default 192.168.1.99. Specify the user name admin or SSH will attempt to log on with your user name. For example: $ ssh admin@192.168.1.99 At the password prompt, just press Enter. By default there is no password. When you are finished, use the exit command to end the session. 4th Edition 9

Setting up FortiDNS Managing system administrators Managing system administrators Before you start to use FortiDNS, it is recommended you change the default admin s password or add a new administrator. By default, the default admin user does not have a password. This section includes: One-factor or two-factor authentication To change the administrator s password 1 Log on to the web-based manager. 2 Go to System > Admin > Administrators. 3 Select the administrator of which you want to change the password. 4 Click Change Password. 5 Enter a new password and confirm it. 6 Click OK. To add a new administrator 1 Log on to the web-based manager. 2 Go to System > Admin > Administrators and click Create New. 3 Enter the user name, password, and confirm the password. 4 Click OK. 5 Select Two-factor authentication and a security token. For more information, see One-factor or two-factor authentication on page 10. 6 Collapse User Information and enter the information required. 7 Collapse Password Recovery Options. 8 Select Email to send the recovered password to the email address entered in User Information or to other email addresses entered by clicking Manage alternative emails. 9 Select Security Question and click Edit to enter a security question answer, and click OK. 10 Click OK. One-factor or two-factor authentication Setting the system time The standard logon requires the user to know the password. This is one-factor authentication. Two-factor authentication adds the requirement for another piece of information for logon. Generally the two factors are something you know (password) and something you have (certificate, token). This increases the difficulty for an unauthorized person to impersonate a legitimate user. The FortiDNS unit supports FortiToken devices for the second factor in two-factor authentication. For information about how to add a FortiToken device, see Adding FortiToken devices on page 13. To use many of the FortiDNS feature, such as logging and FortiToken authentication, it is critical to set the system time accurately. 4th Edition 10

Setting up FortiDNS Configuring network settings To set the system time 1 Log on to the web-based manager. 2 Go to System > Dashboard > Status. 3 In System Information, select Change in the System Time field. 4 Select your time zone from the list. 5 Either enable NTP or set the date/time manually. Enter a new time and date by either typing it manually, selecting Today or Now, or select the calendar or clock icons for a more visual method of setting the date and time. 6 Click OK. Configuring network settings System maintenance For the client users to access FortiDNS, you must configure FortiDNS IP address and gateway IP, and allow user access on the interfaces. To initially setup FortiDNS on your network 1 Log on to the web-based manager. 2 Go to System > Network > Interfaces to set the IP address, subnet mask, and access rights for each interface. 3 Click OK. 4 Go to System > Network > Default Gateway to set the gateway for each interface as required. 5 Click OK. System maintenance tasks are limited to changing the firmware, and backing up or restoring the configuration file. This section includes: Upgrading the firmware Backing up and restoring configuration Installing a license CLI commands Upgrading the firmware Firmware upgrades fix known issues, ensure features work as expected, and generally improve your FortiDNS experience. To upgrade the firmware, you must first register your FortiDNS with Fortinet. See Registering your Fortinet product on page 7. To upgrade FortiDNS firmware 1 Download the latest firmware to your local computer from the Fortinet Technical Support web site, https://support.fortinet.com. 2 On FortiDNS, go to System > Maintenance > Firmware, or System > Dashboard > Status and click Upgrade for Firmware Version. 4th Edition 11

Setting up FortiDNS System maintenance 3 Select Browse, and locate the new firmware image on your local computer. 4 Select OK. When you select OK, the new firmware image will upload from your local computer to the FortiDNS, which will then reboot. You will experience a short period of time during this reboot when the FortiDNS is offline. Backing up and restoring configuration Installing a license CLI commands You can back up the configuration of the FortiDNS to your local computer. This configuration file backup includes both the CLI and web-based manager configuration of the FortiDNS. When you restore the backup file, it will overwrite existing information and require a FortiDNS reboot. Any information changed since the backup will be lost. Any active sessions will be ended and must be restarted. You will have to log back in when the system reboots. To restore the configuration of your FortiDNS, go to System > Maintenance > Config, or System > Dashboard > Status and click Backup/Restore for System Configuration. Browse to the location of the backup file on your local computer, and select Restore. You will be prompted to confirm the restore action, and approve the reboot. Upon confirmation a message will be displayed stating that the system is starting the restore process. When the restore and system reboot is completed, you must login. To be able to use FortiDNS, you must have a valid license. To obtain a license, contact your FortiDNS reseller or Fortinet Technical Support. To install a license 1 Go to System > Maintenance > License. 2 Click Browse to locate the license file on your local PC. 3 Click OK. The FortiDNS has CLI commands that are accessed using a console, Telnet, or SSH session port. Their purpose is to initially configure the unit, perform a factory reset, or reset the values using a telnet session if the web-based manager is unaccessible for some reason. help set port1-ip <addr_ipv4mask> set default-gw <addr_ipv4> Display list of valid CLI commands. You can also enter? for help. Enter the IPv4 address and netmask for the port1 interface. Netmask is expected in the /xx format, for example 192.168.0.1/24. Once this port is configured, you can use the web-based manager to configure the remaining ports. Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface. 4th Edition 12

Setting up FortiDNS Adding FortiToken devices set date <YYYY-MM-DD> set time <HH:MM:SS> set tz <timezone_index> unset <setting> show exit reboot factory-reset shutdown status Enter the current date. Valid format is four digit year, 2 digit month, and 2 digit day. For example set date 2011-08-12 sets the date to August 12th, 2011. Enter the current time. Valid format is two digits each for hours, minutes, and seconds. 24-hour clock is used. For example 15:10:00 is 3:10pm. Enter the current time zone using the time zone index. To see a list of index numbers and their corresponding time zones, enter set tz?. Restore default value. For each set command listed above, there is an unset command, for example unset port1-ip. Display current settings of port1 IP, netmask, default gateway, and time zone. Terminate the CLI session. Perform a hard restart the FortiDNS unit. All sessions will be terminated. The unit will go offline and there will be a delay while it restarts. Enter this command to reset the FortiDNS settings to factory default settings. This includes clearing the user database. This procedure deletes all changes that you have made to the FortiDNS configuration and reverts the system to its original configuration, including resetting interface addresses. Turn off the FortiDNS. Display basic system status information including firmware version, build number, serial number of the unit, and system time. Adding FortiToken devices A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user s username and password as two-factor authentication. The code displayed changes every 60 seconds. When not in use the LCD screen is blanked to extend the battery life. The device has a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and should be treated with similar care. This section includes: FortiDNS and FortiTokens Monitoring FortiToken devices FortiToken device maintenance 4th Edition 13

Setting up FortiDNS Configuring SNMP settings FortiDNS and FortiTokens If you enable two-factor authentication when adding an administrator (see Managing system administrators on page 10), you must enter the FortiToken serial number to the FortiDNS unit, which then contacts Fortinet FortiGuard servers to verify the information before activating the FortiToken device. To add FortiToken devices 1 Go to System > Admin > FortiTokens. 2 Select Create New and enter the FortiToken device serial number. If there are multiple numbers to enter, select the + icon to switch to a resizable multiple-line entry box. 3 Select OK. To register FortiToken devices, you must have a valid FortiGuard connection. Otherwise any FortiToken devices you enter will remain at Inactive status. Monitoring FortiToken devices To monitor the total number of FortiToken devices registered on the FortiDNS unit, as well as the number of disabled FortiTokens, go to System > Admin > FortiTokens. You can also view the list of FortiTokens, their status, if their clocks are drifting, and which user they are assigned to. FortiToken device maintenance Configuring SNMP settings Go to System > Admin > FortiTokens and select Edit for the device. Do any of the following: Disable a device when it is reported lost or stolen. Re-enable a device when it is recovered. Synchronize the FortiDNS and the FortiToken device when the device clock has drifted. Synchronizing ensures that the device provides the token code that the FortiDNS unit expects, as the codes are time-based. Fortinet recommends synchronizing all new FortiTokens. Go to System > Admin > SNMP to configure SNMP to monitor FortiDNS system events and thresholds. To monitor FortiDNS system information and receive FortiDNS traps, you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). The FortiDNS SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiDNS system information and can receive FortiDNS traps. The FortiDNS SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Before you can use its SNMP queries, you must enable SNMP access on the network interfaces that SNMP managers will use to access the FortiDNS. For more information, see Configuring network settings on page 11. This section includes: 4th Edition 14

Setting up FortiDNS Configuring SNMP settings Configuring an SNMP threshold Configuring an SNMP threshold Configure under what circumstances an event is triggered. To set SNMP thresholds 1 Go to System > Admin > SNMP. 2 Configure the following: GUI item Description Location Contact CPU utilization trap threshold Memory utilization trap threshold DNS client trap threshold DNS request rate trap threshold Description Enter a descriptive name for the FortiDNS. Enter the location of the FortiDNS. Enter administrator contact information. Enter the percentage a trigger value is reached before triggering a CPU utilization trap. The default value is 90. Enter the percentage a trigger value is reached before triggering a memory utilization trap. The default value is 90. Enter the number of DNS clients to be reached before triggering a DNS client trap. The default value is 0. Enter the number of DNS queries per second to be reached before triggering a DNS request rate trap. The default value is 0. 3 Click Apply if you set any threshold levels. Configuring an SNMP v1 and v2c community An SNMP community is a grouping of equipment for SNMP-based network administration purposes. You can add up to three SNMP communities so that SNMP managers can connect to the FortiDNS to view system information and receive SNMP traps. You can configure each community differently for SNMP traps and to monitor different events. You can add the IP addresses of up to eight SNMP managers to each community. To configure an SNMP community 1 Go to System > Admin > SNMP. 2 Under SNMP v1/v2c, click Create New to add a community or select a community and click Edit. The SNMP Community page appears. 3 Configure the following: GUI item Community name Description Enter a name to identify the SNMP community. If you are editing an existing community, you cannot change the name. Event SNMP Hosts IP/Netma sk Enable each SNMP event for which the FortiDNS should send traps to the SNMP managers in this community. Lists SNMP managers that can use the settings in this SNMP community to monitor the FortiDNS. Click Add another SNMP host to create a new entry. Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP community. 4th Edition 15

Setting up FortiDNS Monitoring FortiDNS GUI item Queries Traps Delete (X icon) 4 Click OK. Description Mark the check box to activate queries for each SNMP version. Select the check box to enable traps for each SNMP version that the SNMP managers use. Click to remove this SNMP manager. Configuring an SNMP v3 user SNMP v3 adds more security by using authentication and privacy encryption. You can specify an SNMP v3 notification host to which the FortiDNS sends traps. To configure an SNMP v3 user 1 Go to System > Admin > SNMP. 2 Under SNMPv3, click Create New to add a user or select a user and click Edit. The SNMPv3 User page appears. 3 Configure the following: GUI item SNMP Notification Hosts IP Address Delete (X icon) Description Lists the SNMP managers that FortiDNS sends traps to. Click Add Another SNMP notification host to create a new entry. Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP user. Click to remove this SNMP manager. 4 Click OK. Monitoring FortiDNS Go to System > Dashboard > Status to display the following FortiDNS system information. You can add a widget by clicking the Add Widget button or close a widget by clicking the Close icon (X mark) on the widget. This section includes: System Information widget System Resources widget Top Clients widget DNS Request Summary widget Top Domains widget System Information widget The System Information widget displays the serial number and basic system statuses such as the host name, serial number, firmware version, system time, and up time. In addition to displaying basic system information, you can also configure the system time, firmware version, system configuration, and shutting down or rebooting the FortiDNS. 4th Edition 16

Setting up FortiDNS Monitoring FortiDNS System Resources widget Top Clients widget The System Resources widget displays the CPU and memory usage levels over time. The Top Clients widget displays the IP addresses that requested the most DNS service over time. You can blacklist any top DNS client from this widget. DNS Request Summary widget Top Domains widget Table 1: System Information widget GUI item Description Host Name The host name of the FortiDNS Serial Number The serial number of the FortiDNS. The serial number is specific to the FortiDNS hardware and does not change with firmware upgrades. Use this number when registering the hardware with Fortinet Technical Support. System Time The current date and time according to the FortiDNS s internal clock. Click Change to change the time or configure the FortiDNS to get the time from an NTP server. See Setting the system time on page 10. Firmware Version The version of the firmware currently installed on the FortiDNS. Click Upgrade to install firmware. See Upgrading the firmware on page 11. System Configuration Current Administrator Uptime The time when the system configuration settings were backed up. Click Backup/Restore to backup or restore the configuration. See Backing up and restoring configuration on page 12. The FortiDNS administrator currently logged on to the system. To configure the administrators, see Managing system administrators on page 10. The time in days, hours, and minutes since the FortiDNS was started. Shutdown/Reboot Click to close or restart the FortiDNS operating system. Vantio License The validity of the Vantio NXR Service Delivery Module license. The DNS Request Summary widget displays the number of DNS service requests over time. The Top Domains widget displays the most-visited domains over time. 4th Edition 17

DHCP server configuration DHCP server configuration A DHCP server provides an address to a client on the network, when requested, from a defined address range. You can configure one or more DHCP servers on FortiDNS. A DHCP server dynamically assigns IP addresses to hosts on the network connected to FortiDNS. The host computers must be configured to obtain their IP addresses using DHCP. FortiDNS DHCP server supports IPV4 and IPv6. To configure a DHCP server 1 Go to DHCP > DHCP > Config. 2 Click Create New. 3 Configure the following: GUI item General Enable Name Lease time Description Select to activate this DHCP server. Enter a name for this DHCP server. Set the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client request for an IP address. Lease format Select a format for lease time. Network Enter the DHCP subnet. Netmask Enter the netmask of the addresses that the DHCP server assigns. Search domain Enter the domain that the DHCP server assigns to clients. Default Gateway Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. DNS #1 Add the IP address of the first DNS server that the DHCP server assigns to DHCP clients. DNS #2 Add the IP address of the second DNS server that the DHCP server assigns to DHCP clients. DNS #3 Add the IP address of the third DNS server that the DHCP server assigns to DHCP clients. DHCP Ranges Add Another Click the plus (+) sign to add a DHCP range. DHCP Range Configuration Type DHCP Reservations Add Another DHCP Reservation Name If you select IP Range, enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients. If you select Network, enter the subnet of this DHCP server. Click the plus (+) sign to add a DHCP reservation. Enter the name for the DHCP reservation. 4th Edition 18

DHCP server configuration GUI item IP Address MAC/Device ID Description 4 Click OK. Description Enter the IP address from the DHCP server to match a specific client or device using its MAC address. In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address, that is, there is no lease time, use IP reservation. Enter the MAC address of the client to which you want to match the IP address from the DHCP server. Optionally, add a note about this DHCP reservation. 4th Edition 19

DNS service Configuring outbound queries DNS service DNS is designed to be open and distributed and uses the User Datagram Protocol (UDP). Therefore it is vulnerable to various forms of attack. FortiDNS provides a set of protective measures. This section contains the following topics: Configuring outbound queries Configuring access control rules Blacklisting IP addresses Configuring DNS forwarding Configuring UDP packet size Entering trust anchor keys Disabling DNSSEC for a domain Configuring outbound queries You can configure the Internet protocols the FortiDNS uses when sending queries to the name servers. You can also enable query case randomization to protect against cache poisoning attacks. Because of the important role of DNS for Internet navigation, attackers use a variety of tricks to compromise it, such as cache poisoning attacks. Such attacks attempt to replace legitimate DNS data with fake DNS data to control users Internet navigation. For example, if an attacker can insert a fake record for a bank s website, they could secretly intercept the bank s traffic. To configure outbound queries 1 Go to DNS > DNS > General. 2 Select Use query case randomization if required. Query case randomization is a technique used to make DNS queries more resistant to poisoning attacks by mixing the upper and lower case spelling of the domain name in the query, such as converting www.example.com into www.example.com. Since most name servers preserve the mixed case-encoding in the answer that they send, attackers trying to poison a DNS cache must therefore guess the mixed-case encoding of the query, on top of all other fields required in a DNS poisoning attack. This increases the difficulty of the attack. 3 In the Outbound queries field, choose an Internet protocol for sending queries to the name servers. 4 Click OK. Configuring access control rules Use the access control list (ACL) to allow or block client access to the FortiDNS interfaces. To create an access control rule 1 Go to DNS > DNS > ACL. 4th Edition 20

DNS service Blacklisting IP addresses Blacklisting IP addresses 2 Click Create New. 3 For Title, enter a rule title. 4 Optionally enter a description. 5 For Access, select Allow or Block. 6 Enter the source IP to allow or block. Use the netmask, the portion after the slash (/) to specify the matching subnet. For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address. Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address. To match any address, enter 0.0.0.0/0. 7 Select the interface to apply the rule. 8 Click OK. You can blacklist IP addresses and do not allow them to access FortiDNS. To create a black list 1 Go to DNS > DNS > Blacklist. 2 Click Create New. 3 For Title, enter a rule title. 4 Enter the source IP to block. Use the netmask, the portion after the slash (/) to specify the matching subnet. For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address. Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address. 5 Click OK. Configuring DNS forwarding You can configure the FortiDNS to forward the queries they cannot resolve locally to another DNS server - the forwarder. By using a forwarder, you can manage name resolution for names outside of your network, such as names on the Internet, and improve the efficiency of name resolution for the hosts in your network. DNS forwarding also adds extra privacy to your network because all requests come from one point and exposed details about the network internals are reduced. You can configure conditional forwarding (forwarding rules) or create stub zones for DNS forwarding: Conditional forwarding can be applied to resolve Internet names or when your organization has a DNS server responsible for your entire namespace. Stub zones are used if you want a DNS server hosting a parent zone to keep a current list of the authoritative DNS servers for the child zones. As authoritative DNS servers are added and removed, the list is automatically updated. 4th Edition 21

DNS service Configuring DNS forwarding This section includes: Configuring conditional forwarding Creating stub zones Configuring conditional forwarding Configure a conditional forwarder to handle name resolution only for a specific domain. Typically, a conditional forwarder is used if your network has a dedicated forwarder DNS server that handles all DNS requests that need to be resolved on the public Internet. You can configure the FortiDNS forwarding rule to point to such a forwarder. FortiDNS has a default forwarder with the domain name Root which applies to all domains contained in the queries. This option helps alleviate the workload on the DNS forwarder because FortiDNS caches some answers. FortiDNS only sends the queries to the forwarder when it cannot find the answers from its cache. You cannot remove a default forwarder, although you can modify its forwarding method and forwarder address. Creating stub zones In addition to the default forwarder, you can configure other specific forwarders to deal with name resolutions for some specific domains that you feel necessary. For example, you can configure the FortiDNS to forward any requests in the domain example.com directly to a specific name server that is authoritative for that domain. Such a configuration can speed up the name resolution process by eliminating the need to use the default forwarder in the first place. To configure a conditional forwarder 1 Go to DNS > DNS > Forwarding. 2 Under DNS Forwarding Rules, click Create New. 3 For Domain, enter the domain name for which FortiDNS will forward queries. 4 Select a forwarding method: Forwarding only: FortiDNS will only forward the queries to the forwarder. Forwarding and/or default resolution: FortiDNS will use the default forwarder first and forward the queries to the forwarder if it cannot find the answers from the cache of the default forwarder. Disabled: FortiDNS will not use the default forwarder or forward any queries. 5 Under Name Servers, click Add another name server. 6 Enter the IP address of the forwarder for the domain name specified. Repeat if you have more forwarders for this domain to add. 7 Click OK. Compared with conditional forwarding, a stub zone s advantage is that its information is dynamic. In the case of conditional forwarding, whenever the authoritative DNS servers for the child zone changes, the conditional forwarder setting on the DNS server hosting the parent zone will need to be manually configured with the IP address for each new authoritative DNS server for the child zone. 4th Edition 22

DNS service Configuring UDP packet size If you have multiple levels of domain hierarchy, you can use stub zones to simplify name resolution instead of DNS servers querying the root server. For example, you have the following domain hierarchy: forest - example.com tree - tm.example.com with ti.tm.example.com as sub domain tree - st.example.com with gl.sa.example.com as sub domains. In this scenario, if a client in ti.tm.example.com tries to access resources in gl.sa.example.com without configuring stub zones, multiple DNS servers will have to be contacted in the following order: ti.tm.example.com > tm.example.com > example.com > st.example.com > gl.sa.example.com. However, if you create a stub zone in ti.tm.example.com, the stub zone will contain the list of authoritative DNS servers for the zone and queries from ti.tm.example.com can be directly sent to gl.sa.example.com. To create a stub zone 1 Go to DNS > DNS > Forwarding. 2 Under DNS Stub Zones, click Create New. 3 For Domain, enter the target domain name for which you want to create a stub zone. Stub domain names must contain valid reverse lookup addresses such as 5.2.1.192.in-addr.arpa or 100.10.1.1ip6.arpa. 4 Under Name Servers, click Add another name server. 5 Enter the IP address of one of the name servers on the target domain s network. Repeat if you have more name servers for this domain to add. 6 Click OK. Configuring UDP packet size DNS Security Extensions (DNSSEC) is a standard security protocol designed to ensure the integrity of the domain name space. it is the only method to detect if your domain name is hijacked. When sending queries using Extension Mechanisms for DNS (EDNS) such as DNSSEC, FortiDNS can reassemble packets of up to a specified length. This option is useful if a firewall or other network device is causing IP fragments to be dropped, which would result in timeouts and/or failures of resolutions involving large packets. The default packet length is 4000 bytes. The maximum is also 4000 bytes, and the minimum is 512 bytes. To configure UDP packet size 1 Go to DNS > DNSSEC > General. 2 Select Use DNSSEC if you want to send queries using DNSSEC. 3 Enter the maximum UDP packet size in byte. 4 Click OK. 4th Edition 23

DNS service Entering trust anchor keys Entering trust anchor keys DNSSEC validation requires that a caching server, such as FortiDNS, know trust anchor key for the root DNS domain in order to validate already signed responses. Theoretically, trust anchor keys do not change often, but they do change occasionally, and may change unexpectedly in the event the keys are compromised. For information about how to securely obtain the root zone keys, see the ICANN publication DNSSEC Trust Anchor Publication for the Root Zone available at http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt in either text or HTML format. The directory http://data.iana.org/root-anchors/ also contains the other data you will need to obtain the root key securely. To enter a trust anchor key on FortiDNS 1 Go to DNS > DNSSEC > Trust Anchor Keys. 2 Click Create New. 3 For Domain, enter the root DNS domain name of which that you want FortiDNS to validate the already signed responses. An authenticated root DNS domain allows authentication of all domains (zones) below it in the domain name hierarchy. For example, the trusted key for example.com also authenticates the zone sub.example.com. 4 In the Key field, paste the trust anchor key string of the root DNS domain to be used by FortiDNS to validate the already signed responses. 5 Click OK. Disabling DNSSEC for a domain You can disable the DNSSEC validation for a domain, even if the domain supports it. To disable DNSSEC for a domain 1 Go to DNS > DNSSEC > Negative Trust Anchors. 2 Click Create New. 3 Enter the domain of which you want to disable DNSSEC. 4 Click OK. 4th Edition 24

Logging Search button Logging Search button Log entry order Log type reference Exporting the log Logging provides a record of the events that have taken place on the FortiDNS. To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help you search your logs for the information you need. This section includes: Search button Log entry order Log type reference Exporting the log You can enter a string to search for in the log entries. The string must appear in the Message portion of the log entry to result in a match for the search. To prevent each term in a phrase from being matched separately, multiple keywords must be in quotes and be an exact match. After the search is complete next to the Search button the number of positive matches will be displayed, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all log entries and not just the previous search s matches. You can change the order used to display the log entries. To sort the log entries by a particular column, such as Timestamp, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Ascending or descending is displayed with an arrow next to the column title up arrow for ascending, and down arrow for descending. There are Admin Configuration, Authentication, System, and User Portal events. Each of these have multiple log message types for each major event. To see the various types of log messages, go to Logging > Log Access > Logs and select Log Type Reference. On this page, you can search for the exact text of a specific log message. The search will return any matches in any columns. You can select Download Raw Log to export the FortiDNS log as a text file named fns.log. 4th Edition 25

Index Index C cache poisoning attack, 20 clock, 17 CPU usage, 17 D default password, 6 DNS request summary, widget, 17 F firmware version, 17 firmware updates, 7 FortiGuard, 14 FortiGuard Antivirus, 7 FortiToken, 13 clock drift, 14 monitoring, 14 registering, 14 synchronization, 14 I installation, 6 M memory usage, 17 O one-time password (OTP), 13 outbound queries configuring, 20 P password administrator, 6 product registration, 7 Q query SNMP, 16 R RFC 1213, 14 2665, 14 S serial number, 17 SNMP community, 15 event, 15 manager, 15, 16 query, 16 system information, widget, 16 system resources, widget, 17 T technical support, 7 top clients, widget, 17 top domains, widget, 17 troubleshooting, 17 two-factor authentication FortiToken, 13 W widget DNS request summary, 17 system information, 16 system resources, 17 top clients, 17 top domains, 17 4th Edition 26