The only link I can find on the support site with this scenario I am wanting to achieve is https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-database-with-FortiGate-as-a-slave-to-... where it gives the basic items to do to get this working. What I am making further inquiry about is what might need to be done on the Windows side? i.e... since this is going to a secondary DNS, is the FortiGates's DNS, BIND, and thus I need to set the Windows DNS properties to allow BIND secondaries? Do I need to turn off DNSSEC for remote responses? Just those types of inquiries since the article did not expound on that at all...and since I am running into errors, this has gotten me to make further inquiry.
From the Windows side of things, I get a "Validation error, please try again later". From the FortiGate's side, when I do "diag test application dnsproxy 8" from the CLI, I do get record information like the example output of the link provided, yet from the GUI, there is nothing that shows me I was successful (like # of Entries for example).
Thanks.
Solved! Go to Solution.
Hello ,
You can try the below
Windows DNS Configuration:
FortiGate DNS Configuration:
You can start with the admin guide: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/960561/fortigate-dns-server
some configurations can be simplified if you need to use as a simple DNS forwarders or to add another zone. If this is the case you don't need to go with complex configurations and changes on Microsoft DNS server
Hello ,
You can try the below
Windows DNS Configuration:
FortiGate DNS Configuration:
When you configure "Allow zone transfers" on Windows side, make sure you use the right FGT IP address, usually the one in the same subnet as your Windows server.
If you were able to solve the problem, what was a solution? I have the same problem: shadow DNS on Forti basically works but on Windows server I see validating error if I try to add Forti IP or FQDN whether to list of allowed servers or to notify list.
Slave DNS zone for sure has an advantage vs. basic forwarding because of avoiding costly DNS requests over slow tunnel, and of course Forti is in different subnet with master DNS otherwise secondary DNS would not be required.
I never got this to show successful on Windows' server side of things; however, when running diag queries on the FortiGate, those DNS entries did in fact, show up on the firewall.
Finally found it. I have a connection to the HQ over SD-WAN with two IPSec tunnels, each has own IP (VTI). So, these interfaces should be added as DNS interface even though these interfaces are purely for transport only. Also, source-ip for DNS in Forti should be set to the LAN Forti IP to properly report to Windows DNS that the server is authoritative, so it can be added to allowed servers to transfer zone. This IP should be added to the master DNS, along with its PTR record.
Notice that your working setup is a pulling at most (default pull interval is 15 minutes) or maybe just forwarding. To make push updates working you certainly have to have these green marks in Windows DNS to confirm that AXFR is fully operational.
Update: similarly added PTR zones, they also work. This image is from a machine on a Fori side.
Do you confirm the show IP address (192.168.101.1) is the one used by FGT to contact your Windows DNS server
User | Count |
---|---|
2403 | |
1294 | |
778 | |
538 | |
454 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.