Hi volks! I already searched the forum and the knowledgebase but didn' t find an answer. I have a FGT 60C at home which I use as firewall for my regular machines and additionally for my home lab. The firewall is running 24x7 but my lab is not always online. So I need some special configuration. In my lab environment I have an additional DNS server (Microsoft DNS + Active Directory) which is currently responsible for the lab enviroment and the lab domain. This server is allowed to go outside and uses root hints for lookups (I don' t want to use my provider DNS servers and also I don' t want to use Google public DNS, etc.) My regular clients use the Fortigate as DNS server. The lab machines use the MS DNS server. The problem is that the Fortigate DNS is not aware of the lab machines and the lab DNS is not aware of the regular machines. I missed one important thing. The two domains have different names but both use the same IP adress range (there are reasons for that, but to complicated to explain). What I' d like to have is that the Fortigate should be the master (primary) DNS - because it is always online - and the lab DNS should be the secondary. I tried the following: I added two DNS databases to the Fortigate 1. Domain Name: internal.local Type: Master View: Shadow Authoritative: Enable 2. Domain Name: lab.local Type: Master View: Shadow Authoritative: Enable Then I added both domains to my lab DNS server as secondary zones. As soon as the lab DNS server starts a zone transfer this fails. I think that the Fortigate refuses zone transfers like MS DNS servers do by default. If I do the setup exactly the reverse, so the lab DNS is primary and the Fortigate secondary this works fine, I just need to add the Fortigate IP on the MS DNS to the allowed machines which can do zone transfers. But as I mentioned, my lab is not always up and running so I need the other way. 1. question: is this possible in any way on the Fortigate? I could not find a command or parameter to allow zone transfers. Maybe there exists a undocumented parameter? 2. question: is it possible to use root hints instead of " normal" DNS servers as system dns servers on the Fortigate, like I do in the lab with my MS DNS? Although I' m afraid that both requirements can' t be fulfilled by the Fortigate DNS - hope dies last Thanks in advance and kind regards