Skip to main content
wseaton
wseaton
New Member
March 7, 2020
Solved

Does Forti actually update DNS from DHCP?

  • March 7, 2020
  • 3 replies
  • 32285 views

According to this thread

https://www.wmlcloud.com/internet-protocols/problem-can-fortigate-automatically-update-dns-records/

 

.....it doesn't, and explains the problems I'm having. I have a thread below in which I complain about devices not being able to resolve via hostname with a fortigate 200D handling DHCP and DNS. We were blaming it initially on the devices, but since this is the same behavior as the thread linked above.....well.... I downloaded a freeware DHCP / DNS server and had no problems resolving local DNS hostnames via DHCP. So, the problem isn't the devices.

 

I would appreciate some confirmation on this, because if our 200D doesn't support a basic DHCP / DNS functionality like this then we will be looking for an alternate product. Note our 200D is still on 5.4.1.....possible this issue has been patched?

Best answer by ede_pfau

Two scenarios:

1- DNS server on the Fortigate

2- DNS server on a Windows server in the LAN

 

and

DHCP server on Fortigate

 

Neither in scenario 1 nor in 2 will the FGT DHCP server update any DNS record. It could, at least in scenario 1, as it records the Windows client's hostname (see Device inventory, up to FOS v6.2), but alas...it doesn't. Dynamic DNS update is a feature just not included in FortiOS.

 

Whether this is crucial for an enterprise firewall is up to you.

3 replies

ede_pfau
SuperUser
ede_pfauAnswer
SuperUser
March 7, 2020

Two scenarios:

1- DNS server on the Fortigate

2- DNS server on a Windows server in the LAN

 

and

DHCP server on Fortigate

 

Neither in scenario 1 nor in 2 will the FGT DHCP server update any DNS record. It could, at least in scenario 1, as it records the Windows client's hostname (see Device inventory, up to FOS v6.2), but alas...it doesn't. Dynamic DNS update is a feature just not included in FortiOS.

 

Whether this is crucial for an enterprise firewall is up to you.

wseaton
wseatonAuthor
New Member
March 7, 2020

I appreciate the quick response. 

 

I know where we are going with the "Enterprise Feature" argument, but it's a circular debate. I can make the same point about DHCP on an Enterprise Firewall :)

 

Again, I appreciate the quick response.

jpcastilloux
jpcastilloux
New Member
March 2, 2021

Hi !

 

Did you find how to make it works ?

I know the command line to configure DDNS to update the DNS records of DHCP clients are :

 

config system dhcp server

 edit x

  set ddns-update enable

  set ddns-update-override enable

  set ddns-server-ip YourDNSServerIP

  set ddns-zone YourDNSDomainZone

 

But as our DNS Server is in Secure only for Dynamic Update, I dont know where to configure the credentials needed for Dynamic Update in the Fortigate

    bamather
    bamather
    New Member
    March 4, 2021

    I am also having the same issues I would like to use DHCP on the gates, but use DNS on my windows 2016 server.  Surly some people are doing this right?  I found this article and it sounds exactly what I want.  However I can't get it to work

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD47513 

     

    This one only works for windows devices.  Other devices not using windows will not register to DNS.

    https://www.infosecmonkey.com/2019/05/22/fortigate-dhcp-and-microsoft-dynamic-dns/ 

     

    Surly someone has a solution for this.  

    vmc
    vmc
    New Member
    April 2, 2021

    Hey Guys,

     

    FortiGate supports TSIG so you should be able to update Microsoft DNS servers with Secure Only.

     

    Generate a keytab file for the the user with creds for DNS dynamic update.

     

    Windows:

     

    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

     

    Fortigate:

     

    config system dhcp server

    edit x

    set ddns-auth tsig

    set ddns-keyname

    set ddns-key

    end

     

    I haven't tested it myself as I didn't have this requirement.

     

    My issue is that I would like to have the FortiGate DHCP to dynamically update the relevant local DNS zone in the FortiGate, as I'm coud native and have no servers on prem.

     

    Didn't find a solution yet to my problem.

     

    V.

     

    ondrugs
    ondrugs
    New Member
    September 21, 2023

    I believe I may have an answer (maybe not the answer) to this.

    https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/783526/dhcp-server

    and read 

    Configure a DHCP server and relay on an interface

    We setup the WindoZe server and Fortigate with the same DHCP config. Fortigate sends its lease info onto the WindoZe server, which updates its lease table and DNS.

    I'm still testing this, but it appears to be working.

     

    Terms & ConditionsAccessibility statement