How do I secure the DNS Layer?

By Victoria Martin | March 02, 2014

Now that we've had a look at layered security, it's time to talk about each layer individually to figure out the steps you should take to secure your network. First and foremost is the DNS layer, the first "wall" of security that protects your network from attacks.


DNS 101

Domain Name System (DNS) is used like a phonebook to help your computer find websites by translating a domain name to a website's IP address. For example, the domain name is translated to the IP address, which lets your computer successfully find the Fortinet site.

The primary roles of a DNS server are to keep a record of domain names and IP addresses, so they can redirect incoming traffic to where it wants to go.

DNS Threats

There are three types of attacks that involve DNS servers:

  • Hijacking occurs when malware changes your network's DNS settings to point to a rogue DNS server that is under the control of the attacker.

  • Cache poisoning (also called cache pollution) involves a DNS server's records being changed to link a legitimate domain name to a malicious IP address.

  • Spoofing involves a DNS request being intercepted by an attacker whose response appears to have come from the proper DNS server.

In all of the above attacks, you could be sent to a clone of a legitimate website - perhaps your online banking site - and have your credentials stolen when you try to log in as usual, or have malware downloaded on your computer without your knowledge.

Choosing your DNS Server

The first decision you need to make when choosing a DNS server is whether you should use an external server (and depend on someone else to protect your DNS layer) or manage your own server.

Using an External Server


If your network uses your FortiGate's DHCP server to get IP addresses, then your FortiGate's DNS settings are also used for the entire network. This allows changes to the settings to be made quickly and easily, and means that if your FortiGate is using a secure DNS, your entire network will be too.

By default, your FortiGate uses the FortiGuard DNS servers. This set up is sufficient for many situations; however, there are reasons to use other servers, such as security requirements or performance issues (there are several free diagnostic tools available that allow you to compare DNS server response times).

If you've decided to change from the default to a specific DNS server, here is a quick checklist to help you find one that is secure (and remember, you're going to need two of them in order to have a primary server and a backup server):


How to Change Your Server

Once you've chosen two secure servers to use, changing the servers on your FortiGate is simple. All you need is administrative access and the IP addresses of your servers.

To change your DNS servers, do the following:

  1. Log into your FortiGate.
  2. Go to System > Network > DNS.
  3. Select Specify.
  4. Set the IPs for your primary and secondary DNS servers.
  5. (Optional) If you have a local Microsoft domain on your network, enter its name for the Local Domain Name.
  6. Select Apply.


Now you're all set to use the new servers.

Using Your Own Server

Setting up an internal DNS server can be lengthy and complicated, so it should only be attempted by someone with a solid understanding of how DNS works.

If you wish to manage your own DNS server, you can buy units specifically made for that purpose, such as a FortiDNS, you can devote one or more computers to the task, or you can set up your FortiGate unit to function as a DNS server. For more information about this FortiGate configuration, check out this page from the FortiOS Handbook.

DNS for a Web Server

If your network includes any web servers or any other devices that require incoming traffic from the Internet and use URLs, you will have some more DNS concerns. The DNS master list for your site can be either on a third party server or on your own server.

For both types of servers, the security checklist from above can be used. If you are running your own server, be sure to have it located in a DMZ, to keep the incoming network traffic secure and segregated from your internal network. Also remember that domain registrars require at least two DNS servers, which should ideally be on two separate networks.

Information & Tools

For more information about DNS, or to find some DNS tools, check out the following websites:

Join the Discussion