According to this thread
https://www.wmlcloud.com/internet-protocols/problem-can-fortigate-automatically-update-dns-records/
.....it doesn't, and explains the problems I'm having. I have a thread below in which I complain about devices not being able to resolve via hostname with a fortigate 200D handling DHCP and DNS. We were blaming it initially on the devices, but since this is the same behavior as the thread linked above.....well.... I downloaded a freeware DHCP / DNS server and had no problems resolving local DNS hostnames via DHCP. So, the problem isn't the devices.
I would appreciate some confirmation on this, because if our 200D doesn't support a basic DHCP / DNS functionality like this then we will be looking for an alternate product. Note our 200D is still on 5.4.1.....possible this issue has been patched?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Two scenarios:
1- DNS server on the Fortigate
2- DNS server on a Windows server in the LAN
and
DHCP server on Fortigate
Neither in scenario 1 nor in 2 will the FGT DHCP server update any DNS record. It could, at least in scenario 1, as it records the Windows client's hostname (see Device inventory, up to FOS v6.2), but alas...it doesn't. Dynamic DNS update is a feature just not included in FortiOS.
Whether this is crucial for an enterprise firewall is up to you.
Two scenarios:
1- DNS server on the Fortigate
2- DNS server on a Windows server in the LAN
and
DHCP server on Fortigate
Neither in scenario 1 nor in 2 will the FGT DHCP server update any DNS record. It could, at least in scenario 1, as it records the Windows client's hostname (see Device inventory, up to FOS v6.2), but alas...it doesn't. Dynamic DNS update is a feature just not included in FortiOS.
Whether this is crucial for an enterprise firewall is up to you.
I appreciate the quick response.
I know where we are going with the "Enterprise Feature" argument, but it's a circular debate. I can make the same point about DHCP on an Enterprise Firewall :)
Again, I appreciate the quick response.
Hi !
Did you find how to make it works ?
I know the command line to configure DDNS to update the DNS records of DHCP clients are :
config system dhcp server
edit x
set ddns-update enable
set ddns-update-override enable
set ddns-server-ip YourDNSServerIP
set ddns-zone YourDNSDomainZone
But as our DNS Server is in Secure only for Dynamic Update, I dont know where to configure the credentials needed for Dynamic Update in the Fortigate
I am also having the same issues I would like to use DHCP on the gates, but use DNS on my windows 2016 server. Surly some people are doing this right? I found this article and it sounds exactly what I want. However I can't get it to work
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47513
This one only works for windows devices. Other devices not using windows will not register to DNS.
https://www.infosecmonkey.com/2019/05/22/fortigate-dhcp-and-microsoft-dynamic-dns/
Surly someone has a solution for this.
Hey Guys,
FortiGate supports TSIG so you should be able to update Microsoft DNS servers with Secure Only.
Generate a keytab file for the the user with creds for DNS dynamic update.
Windows:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass
Fortigate:
config system dhcp server
edit x
set ddns-auth tsig
set ddns-keyname
set ddns-key
end
I haven't tested it myself as I didn't have this requirement.
My issue is that I would like to have the FortiGate DHCP to dynamically update the relevant local DNS zone in the FortiGate, as I'm coud native and have no servers on prem.
Didn't find a solution yet to my problem.
V.
Created on 04-29-2022 01:53 AM Edited on 04-29-2022 01:55 AM
Hi VMC.
Theoreticlly (asuming that the fortigate is but a secondary NS), you can just point the dns updates at the primary NS.
I have a setup in which were this could be useful, and will see if i can get this setup and tested sometime next couple of weeks, and update everyone on the outcome.
Just for clarification do we need to setup a keytab for the end clients or the Fortigate (becuase i know im going to get asked this question)?
Regards
A
Hi @AlexHanks ,
Have you been able to verify the TSIG on the Fortigate connecting to Microsoft DNS on Windows?
I'm struggling with the same case and still haven't found a way to solve it.
From what is stated in the https://community.fortinet.com/t5/FortiGate/Technical-Tip-DHCP-server-with-Dynamic-update-with-TSIG/... , Microsoft DNS requires GSS-TSIG which does not support HMAC-MD5 alghoritm used by Fortigate for DDNS.
Any help would be appreciated for enabling the Secured dns auth to Windows DNS.
Best regards
DS
I believe I may have an answer (maybe not the answer) to this.
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/783526/dhcp-server
and read
We setup the WindoZe server and Fortigate with the same DHCP config. Fortigate sends its lease info onto the WindoZe server, which updates its lease table and DNS.
I'm still testing this, but it appears to be working.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.