Description
This article describes how to configure DDNS update override in FortiGate DHCP server.
Solution
FortiGate can update a record in local DNS server enabling dynamic updates with DDNS update override option in FortiGate DHCP server.
Note:
Dynamic update for PTR records is not supported with this option.
config system dhcp server
edit 0
set ddns-update enable
set ddns-update_override enable
set ddns-server-ip 10.165.0.84 # ddns_server_ip
set domain fortitest.com # ddns_zone (only if running FOS 6.4+)
set ddns-zone fortitest.com # ddns_zone
next
end
In this example, FortiGate has 10.165.0.83 as a DHCP server.
Windows 2016 server has 10.165.0.84 as a DDNS server.
A test client machine has 10.165.0.57 and will be updated with a DDNS update from the DHCP server.
Here is a record for the client machine (10.165.0.57) in the Windows 2016 DNS server before the DDNS update was received.
When a DDNS update is accepted (in Wireshark), a record for the client is updated properly:
Related document:
Important notes:
This implementation would require the configuration of dynamic updates to allow Nonsecure sources. In the DNS Manager, 'right-click' on the zone desired to be allowed Dynamic Updates and select Properties:
Change the option for Dynamic Updates to 'Nonsecure and secure'.
The reason behind this is that Microsoft DNS Server does not support the TSIG authentication protocol, and it supports only the GSS-TSIG protocol.
If the DNS server is not a Microsoft server but a BIND DNS server, refer to the following article to configure DDNS update with authentication protocol:
