FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to use a DHCP server with Dynamic update of DNS records and with TSIG authentication.
In order to avoid DNS records exposure, all updates should use transactional signatures (TSIG). Transactional signatures are a method of cryptographically signing updates by using a shared secret key.
You have to generate a TSIG key in order to authenticate the DHCP server to the DNS server for dynamic updates. This is possible by using either the dnssec-keygen (BIND v9) or dnskeygen (BIND v8) commands. To generate a key with dnssec-keygen, using the HMAC-MD5 algorithm (mandatory for TSIG keys), and a key size of 128, use the following command:
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-server.example.domain
This TSIG key is then placed in the '# config system dhcp server' settings like:
FGT3KD-1 # config system dhcp server
FGT3KD-1 (server) edit 1
FGT3KD-1 (1) set ddns-update enable
FGT3KD-1 (1) set ddns-update_override enable
FGT3KD-1 (1) set dns-server-ip 184.108.40.206 #ddns_server_ip address
FGT3KD-1 (1) set dns-zone example.domain #ddns_zone
FGT3KD-1 (1) set ddns-auth tsig
FGT3KD-1 (1) set ddns-key 'YrjNE9zKuIffBhQSC/4Tkg=='
Then it is necessary to configure your DNS named and the private key should be placed in the named.conf settings:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.