Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

Created on ‎05-30-2023 08:30 AM

FortiGate as secondary DNS server to Windows AD DNS inquiry?

The only link I can find on the support site with this scenario I am wanting to achieve is https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-database-with-FortiGate-as-a-slave-to-... where it gives the basic items to do to get this working. What I am making further inquiry about is what might need to be done on the Windows side? i.e... since this is going to a secondary DNS, is the FortiGates's DNS, BIND, and thus I need to set the Windows DNS properties to allow BIND secondaries? Do I need to turn off DNSSEC for remote responses? Just those types of inquiries since the article did not expound on that at all...and since I am running into errors, this has gotten me to make further inquiry.

 

From the Windows side of things, I get a "Validation error, please try again later".  From the FortiGate's side, when I do "diag test application dnsproxy 8" from the CLI, I do get record information like the example output of the link provided, yet from the GUI, there is nothing that shows me I was successful (like # of Entries for example). 

 

Thanks.

Labels:
706
0 Kudos
1 Solution
Shilpa1
Staff
Staff

Created on ‎05-31-2023 01:11 AM

Hello ,
You can try the below 

  1. Windows DNS Configuration:

    • On the Windows DNS server, you need to allow zone transfers to the FortiGate's IP address. This can be done by configuring the zone transfer settings in the properties of the DNS zone.
    • Ensure that the Windows DNS server allows zone transfers to secondary servers, which would include the FortiGate.

  2. FortiGate DNS Configuration:

    • FortiGate uses its own DNS software and not BIND. However, when configuring a FortiGate as a secondary DNS server, you need to specify the primary DNS server (Windows AD DNS server) and enable zone transfers.
    • In the FortiGate's DNS settings, you can set the primary DNS server as the Windows AD DNS server and configure it as a slave server.


      Regarding the validation error on the Windows side and the lack of visible information in the FortiGate GUI, it's challenging to pinpoint the exact cause without further information. You may need to review the logs on both the Windows DNS server and the FortiGate for any error messages or indications of the issue. Additionally, you could try capturing network traffic to analyze the DNS communication between the two devices.

      "refer the below to capture the packet on fortigate https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313"


      Also Ensure that the firewall rules on both the Windows server and the FortiGate allow DNS traffic (TCP/UDP port 53) for zone transfers and DNS queries.

      Regards,

      Shilpa C P





View solution in original post

668
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎05-31-2023 12:35 AM

You can start with the admin guide: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/960561/fortigate-dns-server

some configurations can be simplified if you need to use as a simple DNS forwarders or to add another zone. If this is the case you don't need to go with complex configurations and changes on Microsoft DNS server

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
671
0 Kudos
Shilpa1
Staff
Staff

Created on ‎05-31-2023 01:11 AM

Hello ,
You can try the below 

  1. Windows DNS Configuration:

    • On the Windows DNS server, you need to allow zone transfers to the FortiGate's IP address. This can be done by configuring the zone transfer settings in the properties of the DNS zone.
    • Ensure that the Windows DNS server allows zone transfers to secondary servers, which would include the FortiGate.

  2. FortiGate DNS Configuration:

    • FortiGate uses its own DNS software and not BIND. However, when configuring a FortiGate as a secondary DNS server, you need to specify the primary DNS server (Windows AD DNS server) and enable zone transfers.
    • In the FortiGate's DNS settings, you can set the primary DNS server as the Windows AD DNS server and configure it as a slave server.


      Regarding the validation error on the Windows side and the lack of visible information in the FortiGate GUI, it's challenging to pinpoint the exact cause without further information. You may need to review the logs on both the Windows DNS server and the FortiGate for any error messages or indications of the issue. Additionally, you could try capturing network traffic to analyze the DNS communication between the two devices.

      "refer the below to capture the packet on fortigate https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313"


      Also Ensure that the firewall rules on both the Windows server and the FortiGate allow DNS traffic (TCP/UDP port 53) for zone transfers and DNS queries.

      Regards,

      Shilpa C P





669
AEK
Contributor III

Created on ‎05-31-2023 09:55 AM

When you configure "Allow zone transfers" on Windows side, make sure you use the right FGT IP address, usually the one in the same subnet as your Windows server.

 

AEK
653
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.