Staff & Editor

Technical Tip : Configure and allow DNS name resolution to implement DHCP services

Forum|Forum|5 years ago
June 18, 2020
0 replies
5186 views

Description
This article describes how to configure and allow DNS name resolution to implement DHCP services.

Solution
By design, FortiGate is configured to communicate with FortiGuard NTP servers to provide time synchronization services for DHCP clients.
FortiGate will attempt to resolve the following hostnames of FortiGuard before allocating an IP address or binding a lease for DHCP clients.
ntp1.fortiguard.com/ntp1.fortinet.net
ntp2.fortiguard.com/ntp2.fortinet.net

Default NTP Configuration on FortiGate:

# config system ntp
    set ntpsync enable
    set type fortiguard   <-----
    set syncinterval 60
    set source-ip 0.0.0.0
    set source-ip6 ::
    set server-mode disable
end

DHCP Clients does not receive an IP address and/or an IP binding will not be added to the DHCP lease list when name resolution to these NTP servers is not successful.

Following log messages will be reported by FortiGate when DHCP debugs are enabled in the CLI.

#diagnose debug application dhcps -1
#diagnose debug enable

[note]DHCPDISCOVER from xx:xx:xx:xx:xx:xx via internal (ethernet)
[debug]Looking up the hostname, ntp1.fortiguard.com.
[warn]Failed to look up the hostname, ntp1.fortiguard.com.
[debug]Looking up the hostname, ntp2.fortiguard.com.
[warn]Failed to look up the hostname, ntp2.fortiguard.com.

Ensure FortiGate has reachability to DNS servers and that the hostnames are resolved successfully without any errors.

To configure a custom/internal NTP server,

# config system ntp
    set type custom
    set ntpsync enable
# config ntpserver
    edit 1
        set server <ntp-server-ip>
    next
        edit 2
            set server <other-ntp-server-ip>
        end

FortiGate

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded