Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ymasaki
Staff
Staff

Created on ‎12-27-2019 12:09 AM Edited on ‎09-24-2025 10:50 PM By Community Manager

Article Id 191554

Technical Tip: Configure DDNS update override in FortiGate DHCP server

Description

 

This article describes how to configure Dynamic DNS Updates (with server override) in the FortiGate DHCP server configuration.

 

Scope

 

FortiGate, DHCP, DNS


Solution

 

FortiOS supports RFC 2136 (Dynamic Updates in the Domain Name System (DNS UPDATE)) when acting as a DHCP server for a local subnet. This allows the FortiGate to dynamically update IPv4 A records stored on local DNS servers on behalf of the DHCP clients. Note that at this time, PTR records are not supported by FortiGate for dynamic DNS updates.

 

To configure this option, modify the DHCP server entry associated with the FortiGate interface and configure the following CLI-only options:

 

config system dhcp server

edit <id>

set domain <domain name> <--- DHCP Option 15. Not used directly with dynamic DNS, but is used to provide a domain name to the client that is associated with this local network.

set ddns-update <enable | disable> <--- Disabled by default, must be enabled before the other options are displayed.
set ddns-update-override <enable | disable> <--- Disabled by default, see note below**
set ddns-server-ip <IP Address of DNS Server>
set ddns-zone <name of DNS zone>

next

end

 

**Note regarding ddns-update-override: 

DHCP Option 81 (Client Fully Qualified Domain Name) is covered by RFC 4702. Per the RFC, DHCP clients may specify in the Flags field of this option if the DHCP server should or should not perform DNS Updates on behalf of the client. If the client sets the 'S' bit in this Flag field to 0, then it indicates to the DHCP server (i.e., the FortiGate) that it should not perform DNS Updates for this client's record.

 

However, this behavior may be overridden by enabling ddns-update-override in the DHCP configuration, in which case the FortiGate will override the client's request and continue to register the record to the DNS server (which is useful in cases where records must be consistently registered, and also in cases where the DNS Updates are restricted to coming from trusted sources like the FortiGate). For more information on this topic, refer to the following KB article: Technical Tip: Troubleshooting DDNS Update Override where FortiGate is a DHCP server

 

Example Scenario:

Consider the following example scenario for Dynamic DNS Updates using Windows DNS Server:

  • The FortiGate's local network address is 10.165.0.83, and it is configured as the DHCP server for this network segment. The following DDNS settings have been applied under the DHCP server settings:

 

config system dhcp server

edit 1

set domain fortitest.com

set ddns-update enable
set ddns-update-override enable
set ddns-server-ip 10.165.0.84
set ddns-zone fortitest.com

next

end

 

  • The Windows Server has address 10.165.0.84 and is the local DNS server holding records for the fortitest.com DNS zone.
  • The Client Laptop is connected to the same network segment as the FortiGate. It previously had the address 10.165.0.57 (which is currently registered in DNS) and will receive new address 10.165.0.3 from the FortiGate via DHCP.

 

Note:

For guidance on configuring BIND DNS servers with FortiGate dynamic DNS updates and TSIG authentication, refer to the following KB article instead: Technical Tip: DHCP server with Dynamic update with TSIG authentication

 

Dynamic_DNS_Example.png

 
In the following screenshot, the old record for the client machine can be seen on the Windows DNS server (Skywalker-kvm57 - 10.165.0.57):
 
 
When the Client Laptop joins the network, it requests a DHCP lease from the FortiGate. After the lease is assigned, the FortiGate issues a dynamic DNS update towards the Windows DNS server to add an A record for Skywalker-kvm57 (10.165.0.3) to the fortitest.com DNS zone. The Windows DNS server issues a response indicating that the DNS update was accepted, and the same result can be observed on the Windows DNS server itself:

 
 
Important notes:
For Windows DNS servers, this configuration would require setting the Dynamic updates option to allow Nonsecure and secure updates. The reason for this is that the FortiGate supports unauthenticated or TSIG-authenticated DNS updates, whereas Windows server only supports unauthenticated (Nonsecure) or GSS-TSIG based authentication (Secure).
 
In Windows DNS Manager, right-click on the DNS zone that will allow dynamic updates and select the Properties option:
 
DNS.png

 

Change the option for General -> Dynamic updates to Nonsecure and secure, then select OK or Apply to commit the change.  This will allow the FortiGate to issue updates to the Windows DNS Server.
 
image.png

 

Labels:
25553
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.