Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

Created on ‎05-30-2023 08:30 AM

FortiGate as secondary DNS server to Windows AD DNS inquiry?

The only link I can find on the support site with this scenario I am wanting to achieve is https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-database-with-FortiGate-as-a-slave-to-... where it gives the basic items to do to get this working. What I am making further inquiry about is what might need to be done on the Windows side? i.e... since this is going to a secondary DNS, is the FortiGates's DNS, BIND, and thus I need to set the Windows DNS properties to allow BIND secondaries? Do I need to turn off DNSSEC for remote responses? Just those types of inquiries since the article did not expound on that at all...and since I am running into errors, this has gotten me to make further inquiry.

 

From the Windows side of things, I get a "Validation error, please try again later".  From the FortiGate's side, when I do "diag test application dnsproxy 8" from the CLI, I do get record information like the example output of the link provided, yet from the GUI, there is nothing that shows me I was successful (like # of Entries for example). 

 

Thanks.

Labels:
10857
0 Kudos
1 Solution
Shilpa1
Staff
Staff

Created on ‎05-31-2023 01:11 AM

Hello ,
You can try the below 

  1. Windows DNS Configuration:

    • On the Windows DNS server, you need to allow zone transfers to the FortiGate's IP address. This can be done by configuring the zone transfer settings in the properties of the DNS zone.
    • Ensure that the Windows DNS server allows zone transfers to secondary servers, which would include the FortiGate.

  2. FortiGate DNS Configuration:

    • FortiGate uses its own DNS software and not BIND. However, when configuring a FortiGate as a secondary DNS server, you need to specify the primary DNS server (Windows AD DNS server) and enable zone transfers.
    • In the FortiGate's DNS settings, you can set the primary DNS server as the Windows AD DNS server and configure it as a slave server.


      Regarding the validation error on the Windows side and the lack of visible information in the FortiGate GUI, it's challenging to pinpoint the exact cause without further information. You may need to review the logs on both the Windows DNS server and the FortiGate for any error messages or indications of the issue. Additionally, you could try capturing network traffic to analyze the DNS communication between the two devices.

      "refer the below to capture the packet on fortigate https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313"


      Also Ensure that the firewall rules on both the Windows server and the FortiGate allow DNS traffic (TCP/UDP port 53) for zone transfers and DNS queries.

      Regards,

      Shilpa C P





View solution in original post

10819
8 REPLIES 8
ebilcari
Staff
Staff

Created on ‎05-31-2023 12:35 AM

You can start with the admin guide: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/960561/fortigate-dns-server

some configurations can be simplified if you need to use as a simple DNS forwarders or to add another zone. If this is the case you don't need to go with complex configurations and changes on Microsoft DNS server

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
10822
0 Kudos
Shilpa1
Staff
Staff

Created on ‎05-31-2023 01:11 AM

Hello ,
You can try the below 

  1. Windows DNS Configuration:

    • On the Windows DNS server, you need to allow zone transfers to the FortiGate's IP address. This can be done by configuring the zone transfer settings in the properties of the DNS zone.
    • Ensure that the Windows DNS server allows zone transfers to secondary servers, which would include the FortiGate.

  2. FortiGate DNS Configuration:

    • FortiGate uses its own DNS software and not BIND. However, when configuring a FortiGate as a secondary DNS server, you need to specify the primary DNS server (Windows AD DNS server) and enable zone transfers.
    • In the FortiGate's DNS settings, you can set the primary DNS server as the Windows AD DNS server and configure it as a slave server.


      Regarding the validation error on the Windows side and the lack of visible information in the FortiGate GUI, it's challenging to pinpoint the exact cause without further information. You may need to review the logs on both the Windows DNS server and the FortiGate for any error messages or indications of the issue. Additionally, you could try capturing network traffic to analyze the DNS communication between the two devices.

      "refer the below to capture the packet on fortigate https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313"


      Also Ensure that the firewall rules on both the Windows server and the FortiGate allow DNS traffic (TCP/UDP port 53) for zone transfers and DNS queries.

      Regards,

      Shilpa C P





10820
AEK
SuperUser
SuperUser

Created on ‎05-31-2023 09:55 AM

When you configure "Allow zone transfers" on Windows side, make sure you use the right FGT IP address, usually the one in the same subnet as your Windows server.

 

AEK
AEK
10804
0 Kudos
nikriaz
New Contributor II

Created on ‎05-27-2025 03:55 AM

If you were able to solve the problem, what was a solution? I have the same problem: shadow DNS on Forti basically works but on Windows server I see validating error if I try to add Forti IP or FQDN whether to list of allowed servers or to notify list.

Slave DNS zone for sure has an advantage vs. basic forwarding because of avoiding costly DNS requests over slow tunnel, and of course Forti is in different subnet with master DNS otherwise secondary DNS would not be required. 2025-05-27 12_50_21-Clipboard.png 

247
0 Kudos
Cajuntank
Contributor II
In response to nikriaz

Created on ‎05-27-2025 06:10 AM

I never got this to show successful on Windows' server side of things; however, when running diag queries on the FortiGate, those DNS entries did in fact, show up on the firewall.

227
0 Kudos
nikriaz
New Contributor II
In response to Cajuntank

Created on ‎05-27-2025 09:27 AM

Finally found it. I have a connection to the HQ over SD-WAN with two IPSec tunnels, each has own IP (VTI). So, these interfaces should be added as DNS interface even though these interfaces are purely for transport only. Also, source-ip for DNS in Forti should be set to the LAN Forti IP to properly report to Windows DNS that the server is authoritative, so it can be added to allowed servers to transfer zone. This IP should be added to the master DNS, along with its PTR record.

Notice that your working setup is a pulling at most (default pull interval is 15 minutes) or maybe just forwarding. To make push updates working you certainly have to have these green marks in Windows DNS to confirm that AXFR is fully operational.

2025-05-27 18_12_30-Clipboard.png

197
nikriaz
New Contributor II
In response to nikriaz

Created on ‎05-27-2025 10:42 AM

Update: similarly added PTR zones, they also work. This image is from a machine on a Fori side. 

2025-05-27 19_39_04-Clipboard.png

191
0 Kudos
AEK
SuperUser
SuperUser
In response to nikriaz

Created on ‎05-27-2025 07:26 AM

Do you confirm the show IP address (192.168.101.1) is the one used by FGT to contact your Windows DNS server

AEK
AEK
217
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.