Technical Note: DNS database with FortiGate as a slave to a Windows AD DNS master
This article shows how to set up a FortiGate as a slave DNS server to a Windows DNS master server.
In this example the FortiGate is at Site A and the Windows DNS server is at Site B. The two sites are connected by a VPN. The FortiGate has an internal IP of 192.168.2.99, and the Windows AD DNS server has an IP of 10.10.54.6.
On the Windows DNS Server
On the Windows DNS server launch DNS Manager. Select the DNS zone in question and find the Start of Authority (SOA) record. Go to the Zone Transfers tab and select 'Allow zone transfers' and 'To any server'. Select 'Notify' and pick 'The following servers'. Add the FortiGate's IP address. Click Ok, and click Ok again.
On the FortiGate
Go to System > Config > Features, select show more and turn on DNS Database (click Apply).
Go to System > Network > DNS Servers and Create a new DNS Database. Type: slave DNS Zone: test_dns_zone Domain Name: test_dns_zone.loc IP of Master: 10.10.54.6
The FortiGate supports the following DNS records:
A Host AAAA IPv6 host CNAME Canonical name MX Mail exchange NS Name server PTR Pointer PTR_V6 IPv6 pointer
With Windows AD, a common and necessary record type is an SRV record, in order to resolve these with the FortiGate as the DNS server, a forwarder must be specified on the dns-database configured on the FortiGate. This is done using the following commands:
config system dns-database edit "test_dns_zone" set forwarder "10.10.54.6" next end
If the DNS server is over a VPN, which is the case in this example, a source ip may need to be specified for the FortiGate to use to get it's DNS database from the AD server. This can be done with the following commands:
config system dns-database edit "test_dns_zone" set source-ip 192.168.2.99 next end
On the FortiGate, whenever the FortiGate is being used as the DNS server, ensure that the interface that is being referenced as the server has a DNS service set.ex.
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case the FortiGate's internal IP address can be used) On the FortiGate ensure that a DNS service is also created for the interface that the users will be referencing:
Go to System > Network > DNS Servers and Create a new DNS Service. Interface: internal Mode: Recursive
In the CLI run the following command on the FortiGate to see the database: