FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191554


This article describes how to configure DDNS update override in FortiGate DHCP server.


FortiGate can update a record in local DNS server enabling dynamic updates with DDNS update override option in FortiGate DHCP server.

Dynamic update for PTR records is not supported with this option.


config system dhcp server
    edit 0
        set ddns-update enable
        set ddns-update_override enable
        set ddns-server-ip # ddns_server_ip
        set domain # ddns_zone (only if running FOS 6.4+)
        set ddns-zone # ddns_zone


In this example, FortiGate has as a DHCP server.
Windows 2016 server has as a DDNS server.
A test client machine has and will be updated with a DDNS update from the DHCP server.

Here is a record for the client machine ( in the Windows 2016 DNS server before the DDNS update was received.
When a DDNS update is accepted (in Wireshark), a record for the client is updated properly:

Related document:
Important notes:
This implementation would require the configuration of dynamic updates to allow Nonsecure sources. In the DNS Manager, 'right-click' on the zone desired to be allowed Dynamic Updates and select Properties:


Change the option for Dynamic Updates to 'Nonsecure and secure'.


The reason behind this is that Microsoft DNS Server does not support the TSIG authentication protocol, and it supports only the GSS-TSIG protocol. 
If the DNS server is not a Microsoft server but a BIND DNS server, refer to the following article to configure DDNS update with authentication protocol: