Technical Tip: Configuring FortiGates as DNS servers in Master/Slave relationship

Description

This article describes how to configure a FortiGate as a Primary for a DNS zone and a Secondary FortiGate as a slave to the same DNS zone.

Both FortiGates are not in HA.

In this example:
FortiGate1 (Primary for test_domain.local) - IP 10.191.35.48.
FortiGate2 (Secondary for test_domain.local)   - IP 10.191.36.213.

Solution

On FortiGate1 (Primary):

Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select 'Apply').

Go to Network -> DNS Servers and create a new DNS Database.

Type: master
DNS Zone: Zone_1
Domain Name: test_domain.local
Hostname of Primary Master: Primary

Type: Address (A)
Hostname: abc
IP Address: 192.168.0.10

Config the DNS Service on the Interface, the interface of the VPN tunnel.

Go to System -> Network -> DNS Servers and create a new DNS Service on Interface.

Select the VPN tunnel interface (on the Primary unit) which is connected with a Secondary FortiGate for the zone transfers.

Configure the IP address at the VPN tunnel Interface at Primary FortiGate:

Source IP - 10.10.10.1/32

RemoteIP - 10.10.10.2/32

Run the following commands in the CLI to allow the zone transfer to the slave (replace the IP address with the address of the slave):

config system dns-database

    edit vSphere

        set source-ip 10.10.10.1

        set allow-transfer 10.10.10.2
end

FortiGate2 (Secondary):

Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select Apply).
Go to Network -> DNS Servers and create a new DNS Database.

Type: Secondary
DNS Zone: Zone_2
Domain Name: vsphere.local
IP of Primary: 10.10.10.1

On both/either unit(s), if the FortiGate is being used as the DNS server for local hosts, ensure the interface that is being referenced as the DNS server, has a DNS service set.

Example.
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case we can use FortiGate's internal IP address). On the FortiGate ensure that a DNS service is also created for the interface that the users will be referencing:

Go to Network -> DNS Servers and create a new DNS Service.

Interface: To_FGT1
Mode: Recursive

Configure the IP address at the VPN tunnel Interface at Secondary FortiGate:

Source IP - 10.10.10.2/32

RemoteIP - 10.10.10.1/32

Run the following commands in the CLI in the Secondary FortiGate:

config system dns-database
    edit vSphere

        set source-ip 10.10.10.2

        set ip-primary 10.10.10.1
end

In the CLI run the following command on both units to see the database:

diagnose test application dnsproxy 99

diagnose test application dnsproxy 8

Sample output from Primary:

FWF60D# diagnose test application dnsproxy 8

orker idx: 0

vfid=0 name=Zone_1 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=primary serial=319246610 refresh=0
A: aaa.vsphere.local-->192.168.0.17(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 319246610)(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: acb.vsphere.local-->192.168.0.11(86400)

From Secondary:

FGT90D# diagnose test application dnsproxy 8

worker idx: 0

vfid=0 name=Zone_2 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=secondary serial=166236703 refresh=7200
A: acb.vsphere.local-->192.168.0.11(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 166236703)(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: aaa.vsphere.local-->192.168.0.17(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)