FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdecesare
Staff
Staff

Description

 

This article describes how to use a DHCP server with Dynamic update of DNS records and with TSIG authentication.

 

Scope

 

In order to avoid DNS records exposure, all updates should use transactional signatures (TSIG). Transactional signatures are a method of cryptographically signing updates by using a shared secret key. 

 

Solution

 

You have to generate a TSIG key in order to authenticate the DHCP server to the DNS server for dynamic updates. This is possible by using either the dnssec-keygen (BIND v9) or dnskeygen (BIND v8) commands. To generate a key with dnssec-keygen, using the HMAC-MD5 algorithm (mandatory for TSIG keys), and a key size of 128, use the following command:

 

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-server.example.domain

 

This TSIG key is then placed in the '# config system dhcp server' settings like:

 

FGT3KD-1 # config system dhcp server

FGT3KD-1 (server) edit 1

FGT3KD-1 (1) set ddns-update enable

FGT3KD-1 (1) set ddns-update_override enable

FGT3KD-1 (1) set dns-server-ip 1.1.1.1 #ddns_server_ip address

FGT3KD-1 (1) set dns-zone example.domain #ddns_zone

FGT3KD-1 (1) set ddns-auth tsig

FGT3KD-1 (1) set ddns-key 'YrjNE9zKuIffBhQSC/4Tkg=='

 

 

Then it is necessary to configure your DNS named and the private key should be placed in the named.conf settings:

 

key dhcp-server.example.domain. {

algorithm hmac-md5;
secret "YrjNE9zKuIffBhQSC/4Tkg==";
};

 

Add an update-policy substatement to both the forward and reverse zones in the named.conf file:

 

zone "example.domain" {

type master;

file db.example.domain";

update-policy {

grant dhcp-server.example.domain. wildcard*. example.domain A TXT; };

};

 

zone 32.16.172.in-addr.arpa. {

type master; file "db.172.16.32";

update-policy {

grant dhcp-server.example.domain. wildcard *.16.32.172.in addr.arpa. PTR; };

};

 

Related documents:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-DDNS-update-override-in-FortiGat...

 

http://pig.made-it.com/ddns.html

Contributors