Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdecesare
Staff
Staff

Created on ‎03-02-2022 02:30 AM Edited on ‎02-06-2023 10:19 PM By Community Manager

Article Id 205888

Technical Tip: DHCP server with Dynamic update with TSIG authentication

Description

 

This article describes how to use a DHCP server with Dynamic update of DNS records and with TSIG authentication.

 

Scope

 

In order to avoid DNS records exposure, all updates should use transactional signatures (TSIG). Transactional signatures are a method of cryptographically signing updates by using a shared secret key. 

 

Solution

 

You have to generate a TSIG key in order to authenticate the DHCP server to the DNS server for dynamic updates. This is possible by using either the dnssec-keygen (BIND v9) or dnskeygen (BIND v8) commands. To generate a key with dnssec-keygen, using the HMAC-MD5 algorithm (mandatory for TSIG keys), and a key size of 128, use the following command:

 

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-server.example.domain

 

This TSIG key is then placed in the '# config system dhcp server' settings like:

 

FGT3KD-1 # config system dhcp server

FGT3KD-1 (server) edit 1

FGT3KD-1 (1) set ddns-update enable

FGT3KD-1 (1) set ddns-update_override enable

FGT3KD-1 (1) set dns-server-ip 1.1.1.1 #ddns_server_ip address

FGT3KD-1 (1) set dns-zone example.domain #ddns_zone

FGT3KD-1 (1) set ddns-auth tsig

FGT3KD-1 (1) set ddns-key 'YrjNE9zKuIffBhQSC/4Tkg=='

 

 

Then it is necessary to configure your DNS named and the private key should be placed in the named.conf settings:

 

key dhcp-server.example.domain. {

algorithm hmac-md5;
secret "YrjNE9zKuIffBhQSC/4Tkg==";
};

 

Add an update-policy substatement to both the forward and reverse zones in the named.conf file:

 

zone "example.domain" {

type master;

file db.example.domain";

update-policy {

grant dhcp-server.example.domain. wildcard*. example.domain A TXT; };

};

 

zone 32.16.172.in-addr.arpa. {

type master; file "db.172.16.32";

update-policy {

grant dhcp-server.example.domain. wildcard *.16.32.172.in addr.arpa. PTR; };

};

 

Note: This does not work with secure DNS updates on Windows systems as windows uses GSS-TGIS protocol which does not support HMAC-MD5 algorithm. 

 

Reference:

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gssa/3a2ddfdf-3da6-4dac-a3c7-84e5dd...

 

Related documents:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-DDNS-update-override-in-FortiGat...

http://pig.made-it.com/ddns.html

3841
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.