Does Forti actually update DNS from DHCP?

wseaton · ‎03-07-2020

According to this thread

https://www.wmlcloud.com/internet-protocols/problem-can-fortigate-automatically-update-dns-records/

.....it doesn't, and explains the problems I'm having. I have a thread below in which I complain about devices not being able to resolve via hostname with a fortigate 200D handling DHCP and DNS. We were blaming it initially on the devices, but since this is the same behavior as the thread linked above.....well.... I downloaded a freeware DHCP / DNS server and had no problems resolving local DNS hostnames via DHCP. So, the problem isn't the devices.

I would appreciate some confirmation on this, because if our 200D doesn't support a basic DHCP / DNS functionality like this then we will be looking for an alternate product. Note our 200D is still on 5.4.1.....possible this issue has been patched?

ede_pfau · ‎03-07-2020

Two scenarios:

1- DNS server on the Fortigate

2- DNS server on a Windows server in the LAN

and

DHCP server on Fortigate

Neither in scenario 1 nor in 2 will the FGT DHCP server update any DNS record. It could, at least in scenario 1, as it records the Windows client's hostname (see Device inventory, up to FOS v6.2), but alas...it doesn't. Dynamic DNS update is a feature just not included in FortiOS.

Whether this is crucial for an enterprise firewall is up to you.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

ede_pfau · ‎03-07-2020

Two scenarios:

1- DNS server on the Fortigate

2- DNS server on a Windows server in the LAN

and

DHCP server on Fortigate

Neither in scenario 1 nor in 2 will the FGT DHCP server update any DNS record. It could, at least in scenario 1, as it records the Windows client's hostname (see Device inventory, up to FOS v6.2), but alas...it doesn't. Dynamic DNS update is a feature just not included in FortiOS.

Whether this is crucial for an enterprise firewall is up to you.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

wseaton · ‎03-07-2020

I appreciate the quick response.

I know where we are going with the "Enterprise Feature" argument, but it's a circular debate. I can make the same point about DHCP on an Enterprise Firewall :)

Again, I appreciate the quick response.

jpcastilloux · ‎03-02-2021

Hi !

Did you find how to make it works ?

I know the command line to configure DDNS to update the DNS records of DHCP clients are :

config system dhcp server

edit x

set ddns-update enable

set ddns-update-override enable

set ddns-server-ip YourDNSServerIP

set ddns-zone YourDNSDomainZone

But as our DNS Server is in Secure only for Dynamic Update, I dont know where to configure the credentials needed for Dynamic Update in the Fortigate

bamather · ‎03-04-2021

I am also having the same issues I would like to use DHCP on the gates, but use DNS on my windows 2016 server. Surly some people are doing this right? I found this article and it sounds exactly what I want. However I can't get it to work

https://kb.fortinet.com/kb/documentLink.do?externalID=FD47513

This one only works for windows devices. Other devices not using windows will not register to DNS.

https://www.infosecmonkey.com/2019/05/22/fortigate-dhcp-and-microsoft-dynamic-dns/

Surly someone has a solution for this.

vmc · ‎04-02-2021

Hey Guys,

FortiGate supports TSIG so you should be able to update Microsoft DNS servers with Secure Only.

Generate a keytab file for the the user with creds for DNS dynamic update.

Windows:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

Fortigate:

config system dhcp server

edit x

set ddns-auth tsig

set ddns-keyname

set ddns-key

end

I haven't tested it myself as I didn't have this requirement.

My issue is that I would like to have the FortiGate DHCP to dynamically update the relevant local DNS zone in the FortiGate, as I'm coud native and have no servers on prem.

Didn't find a solution yet to my problem.

V.

AlexHanks · ‎04-29-2022

Hi VMC.

Theoreticlly (asuming that the fortigate is but a secondary NS), you can just point the dns updates at the primary NS.

I have a setup in which were this could be useful, and will see if i can get this setup and tested sometime next couple of weeks, and update everyone on the outcome.

Just for clarification do we need to setup a keytab for the end clients or the Fortigate (becuase i know im going to get asked this question)?

Regards

A

sadisadi · ‎08-02-2023

Hi @AlexHanks ,

Have you been able to verify the TSIG on the Fortigate connecting to Microsoft DNS on Windows?

I'm struggling with the same case and still haven't found a way to solve it.

From what is stated in the https://community.fortinet.com/t5/FortiGate/Technical-Tip-DHCP-server-with-Dynamic-update-with-TSIG/... , Microsoft DNS requires GSS-TSIG which does not support HMAC-MD5 alghoritm used by Fortigate for DDNS.

Any help would be appreciated for enabling the Secured dns auth to Windows DNS.

Best regards

DS

ondrugs · ‎09-21-2023

I believe I may have an answer (maybe not the answer) to this.

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/783526/dhcp-server

and read

Configure a DHCP server and relay on an interface

We setup the WindoZe server and Fortigate with the same DHCP config. Fortigate sends its lease info onto the WindoZe server, which updates its lease table and DNS.

I'm still testing this, but it appears to be working.