FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ymasaki
Staff
Staff
Article Id 191554

Description


This article describes how to configure DDNS update override in FortiGate DHCP server.

Solution


FortiGate can update a record in local DNS server enabling dynamic updates with DDNS update override option in FortiGate DHCP server.

Note:
Dynamic update for PTR records is not supported with this option.

 

config system dhcp server
    edit 0
        set ddns-update enable
        set ddns-update_override enable
        set ddns-server-ip 10.165.0.84 # ddns_server_ip
        set domain fortitest.com # ddns_zone (only if running FOS 6.4+)
        set ddns-zone fortitest.com # ddns_zone
    next
end

 

In this example, FortiGate has 10.165.0.83 as a DHCP server.
Windows 2016 server has 10.165.0.84 as a DDNS server.
A test client machine has 10.165.0.57 and will be updated with a DDNS update from the DHCP server.



 
Here is a record for the client machine (10.165.0.57) in the Windows 2016 DNS server before the DDNS update was received.
 
 
When a DDNS update is accepted (in Wireshark), a record for the client is updated properly:

 
 
Related document:
 
Important notes:
This implementation would require the configuration of dynamic updates to allow Nonsecure sources. In the DNS Manager, 'right-click' on the zone desired to be allowed Dynamic Updates and select Properties:
DNS.png

 

Change the option for Dynamic Updates to 'Nonsecure and secure'.
 
image.png

 

The reason behind this is that Microsoft DNS Server does not support the TSIG authentication protocol, and it supports only the GSS-TSIG protocol. 
 
If the DNS server is not a Microsoft server but a BIND DNS server, refer to the following article to configure DDNS update with authentication protocol: