FortiGate as a DNS slave to a Windows AD DNS Master v5.4

FortiGate as a DNS slave to a Windows AD DNS Master v5.4

This post goes over how to setup a FortiGate firewall as a slave DNS server to a Windows DNS master.  This is a great feature to enable for branch offices or even as basic redundancy to a single Windows DNS server.

Starting on the Windows DNS Server:

  1. Launch DNS Manager
  2. Double click on the zone you want to replicate and locate the SOA record and edit it.
  3. Go to the Zone Transfer tab and enable zone transfers.  You can leave it at ‘To any server’ but I would select ‘Only to the following servers’ and enter the IP of your FortiGate.
  4. Click Notify, select Automatically notify and enter the IP of your FortiGate.
  5. Click Apply and OK

Now on the FortiGate:

  1. Select System –> Feature Select and enable DNS Database
  2. Navigate to Network –> DNS Servers and create a new DNS Database
  3. Add a DNS Service
  4. Lastly, with Windows AD, a common and necessary record type is a SRV record, something FortiGate doesn’t understand.  In order to resolve these with the FortiGate as the DNS server a forwarder has to be specified on the dns-database configured on the FortiGate, this is done from the CLI as follows:
    1. config system dns-database
      1. edit fullradius_dns_zone
        1. set forwarder
        2. next
      2. end
  5. That’s it!  Test it from the CLI with the following command, you should see your zone file transferred!
    1. diag test application dnsproxy 8


Leave a Reply

Your email address will not be published. Required fields are marked *