Description

This article describes how to configure a FortiGate as a Primary for a DNS zone and a Secondary FortiGate to the same DNS zone.

Both FortiGates are not in HA.

In this example:
FortiGate1 (Primary for test_domain.local) - IP 10.191.35.48.
FortiGate2 (Secondary for test_domain.local)   - IP 10.191.36.213.

Solution

On FortiGate1 (Primary):

Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select 'Apply').

Go to Network -> DNS Servers and create a new DNS Database.

Type: master
DNS Zone: Zone_1
Domain Name: test_domain.local
Hostname of Primary Master: Primary

Type: Address (A)
Hostname: abc
IP Address: 192.168.0.10

Configure the DNS Service on the VPN tunnel interface.

Go to System -> Network -> DNS Servers and create a new DNS Service on Interface.

Select the VPN tunnel interface (on the Primary unit) which is connected with a Secondary FortiGate for the zone transfers.

Configure the IP address for the VPN tunnel interface on the primary FortiGate:

Source IP - 10.10.10.1/32

RemoteIP - 10.10.10.2/32

Run the following commands in the CLI to allow the zone transfer to the secondary FortiGate (replace the IP address with the address of the secondary FortiGate):

config system dns-database

    edit vSphere

        set source-ip 10.10.10.1

        set allow-transfer 10.10.10.2
end

FortiGate2 (Secondary):

Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select Apply).
Go to Network -> DNS Servers and create a new DNS Database.

Type: Secondary
DNS Zone: Zone_2
Domain Name: vsphere.local
IP of Primary: 10.10.10.1

On both/either unit(s), if the FortiGate is being used as the DNS server for local hosts, ensure the interface that is being referenced as the DNS server has the DNS service set.

Example:
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case we can use FortiGate's internal IP address). On the FortiGate, ensure that the DNS service is also created for the interface that the users will be referencing:

Go to Network -> DNS Servers and create a new DNS Service.

Interface: To_FGT1
Mode: Recursive

Configure the IP address for the VPN tunnel interface on the Secondary FortiGate:

Source IP - 10.10.10.2/32

RemoteIP - 10.10.10.1/32

Run the following CLI commands on the secondary FortiGate:

config system dns-database
    edit vSphere

        set source-ip 10.10.10.2

        set ip-primary 10.10.10.1
end

In the CLI run the following command on both units to see the database:

diagnose test application dnsproxy 8

Sample output from the primary FortiGate:

FWF60D# diagnose test application dnsproxy 8

orker idx: 0

vfid=0 name=Zone_1 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=primary serial=319246610 refresh=0
A: aaa.vsphere.local-->192.168.0.17(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 319246610)(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: acb.vsphere.local-->192.168.0.11(86400)

Sample output from the secondary FortiGate:

FGT90D# diagnose test application dnsproxy 8

worker idx: 0

vfid=0 name=Zone_2 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=secondary serial=166236703 refresh=7200
A: acb.vsphere.local-->192.168.0.11(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 166236703)(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: aaa.vsphere.local-->192.168.0.17(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)