Created on
06-09-2015
02:16 PM
Edited on
01-09-2025
06:16 AM
By
Stephen_G
Description
This article describes how to configure a FortiGate as a Primary for a DNS zone and a Secondary FortiGate to the same DNS zone.
Both FortiGates are not in HA.
In this example:
FortiGate1 (Primary for test_domain.local) - IP 10.191.35.48.
FortiGate2 (Secondary for test_domain.local) - IP 10.191.36.213.
Solution
On FortiGate1 (Primary):
Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select 'Apply').
Go to Network -> DNS Servers and create a new DNS Database.
Type: master
DNS Zone: Zone_1
Domain Name: test_domain.local
Hostname of Primary Master: Primary
Note:
If the authoritative is 'ENABLED', FortiGate does not send the DNS request for 'test_domain.local to the DNS forwarders or System DNS servers.
If dns-databse is configured with domain 'test_domain.local' and this FQDN is not resolvable from FortiGate or by the user's device, make sure that the authoritative is 'DISABLED'.
Create the desired DNS entries. Ensure that you have both an A record and an NS record for both the primary and secondary FortiGates:
Example A record:
Type: Address (A)
Hostname: abc
IP Address: 192.168.0.10
Configure the DNS Service on the VPN tunnel interface.
Go to System -> Network -> DNS Servers and create a new DNS Service on Interface.
Select the VPN tunnel interface (on the Primary unit) which is connected with a Secondary FortiGate for the zone transfers.
Configure the IP address for the VPN tunnel interface on the primary FortiGate:
Source IP - 10.10.10.1/32
RemoteIP - 10.10.10.2/32
Run the following commands in the CLI to allow the zone transfer to the secondary FortiGate (replace the IP address with the address of the secondary FortiGate):
config system dns-database
edit vSphere
set source-ip 10.10.10.1
set allow-transfer 10.10.10.2
end
FortiGate2 (Secondary):
Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select Apply).
Go to Network -> DNS Servers and create a new DNS Database.
Type: Secondary
DNS Zone: Zone_2
Domain Name: vsphere.local
IP of Primary: 10.10.10.1
On both/either unit(s), if the FortiGate is being used as the DNS server for local hosts, ensure the interface that is being referenced as the DNS server has the DNS service set.
Example:
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case we can use FortiGate's internal IP address). On the FortiGate, ensure that the DNS service is also created for the interface that the users will be referencing:
Go to Network -> DNS Servers and create a new DNS Service.
Interface: To_FGT1
Mode: Recursive
Configure the IP address for the VPN tunnel interface on the Secondary FortiGate:
Source IP - 10.10.10.2/32
RemoteIP - 10.10.10.1/32
Run the following CLI commands on the secondary FortiGate:
config system dns-database
edit vSphere
set source-ip 10.10.10.2
set ip-primary 10.10.10.1
end
In the CLI run the following command on both units to see the database:
diagnose test application dnsproxy 8
Sample output from the primary FortiGate:
FWF60D# diagnose test application dnsproxy 8
orker idx: 0
vfid=0 name=Zone_1 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=primary serial=319246610 refresh=0
A: aaa.vsphere.local-->192.168.0.17(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 319246610)(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: acb.vsphere.local-->192.168.0.11(86400)
Sample output from the secondary FortiGate:
FGT90D# diagnose test application dnsproxy 8
worker idx: 0
vfid=0 name=Zone_2 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=secondary serial=166236703 refresh=7200
A: acb.vsphere.local-->192.168.0.11(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 166236703)(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: aaa.vsphere.local-->192.168.0.17(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.