Description
This article describes how to configure a FortiGate as a Primary for a DNS zone and a Secondary FortiGate as a slave to the same DNS zone.
Both FortiGates are not in HA.
In this example:
FortiGate1 (Primary for test_domain.local) - ip 10.191.35.48
FortiGate2 (Secondary for test_domain.local) - ip 10.191.36.213
Solution
On FortiGate1 (Primary):
Go to System-> Feature Visibility -> Additional Features, turn on DNS Database (select 'Apply').
Go to Network -> DNS Servers and create a new DNS Database
Type: master
DNS Zone: Zone_1
Domain Name: test_domain.local
Hostname of Primary Master: Primary
Create the desired DNS entries. Ensure that you have both an A record and a NS record for both the slave and master FortiGates:
example A record:
Type: Address (A)
Hostname: abc
IP Address: 192.168.0.10
Config the DNS Service on the Interface, the interface of the VPN tunnel
Go to System -> Network -> DNS Servers and create a new DNS Service on Interface
Select the VPN tunnel interface (on the Primary unit) which is connected with a Secondary FGT for the zone transfers
- Configure the IP address at the VPN tunnel Interface at Primary FortiGate:
Source IP - 10.10.10.1/32
RemoteIP - 10.10.10.2/32
Run the following commands in the CLI to allow the zone transfer to the slave (replace the ip address with the address of the slave):
# config system dns-database
edit vSphereset source-ip 10.10.10.1set allow-transfer 10.10.10.2
end
FortiGate2 (Secondary):
Go to System-> Feature Visibility -> Additional Features, turn on DNS Database (select Apply).
Go to Network -> DNS Servers and create a new DNS Database
Type: Secondary
DNS Zone: Zone_2
Domain Name: vsphere.local
IP of Primary: 10.10.10.1
On both/either unit(s), if the FortiGate is being used as the DNS server for local hosts, ensure the interface that is being referenced as the DNS server, has a DNS service set.
Example.
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an ip address of the local FortiGate (in this case we can use FortiGate's internal ip address) On the FortiGate ensure that a DNS service is also created for the interface that the users will be referencing:
Go to Network -> DNS Servers and create a new DNS Service
Interface: To_FGT1
Mode: Recursive
- Configure the IP address at the VPN tunnel Interface at Secondary FGT
Source IP - 10.10.10.2/32
RemoteIP - 10.10.10.1/32
Run the following commands in the CLI in the Secondary FortiGate:
# config system dns-database
edit vSphereset source-ip 10.10.10.2set ip-primary 10.10.10.1
end
In the CLI run the following command on both units to see the database:
# diagnose test application dnsproxy 99
# diagnose test application dnsproxy 8Sample output from Primary:
FWF60D# diagnose test application dnsproxy 8orker idx: 0From Secondary:
vfid=0 name=Zone_1 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=primary serial=319246610 refresh=0
A: aaa.vsphere.local-->192.168.0.17(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 319246610)(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: acb.vsphere.local-->192.168.0.11(86400)
FGT90D# diagnose test application dnsproxy 8worker idx: 0
vfid=0 name=Zone_2 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=secondary serial=166236703 refresh=7200
A: acb.vsphere.local-->192.168.0.11(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 166236703)(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: aaa.vsphere.local-->192.168.0.17(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)
