It is possible to setup your FortiGate device so that requests towards specific domains are forwarded to a Windows DNS server. Below are the steps needed to get this working.

On the Windows Master DNS Server

  • Open DNS Manager and open the zone needed
  • Find the Start of Authority (SOA) record
  • Properties > Zone Transfers
  • Allow Zone Transfers > To Any Server (you can also specify the server)
  • Open ‘Notify’ and add in the Slave DNS IP address (the IP your FortiGate will be seen as to the Master DNS)

On the FortiGate Slave

  • Enable the DNS Database feature (System > Config > Features)

  • Go to System > Network > DNS Servers and Create a new DNS Database.

    • Type: Slave
    • View: Shadow
    • DNS Zone:<dns_zone>
    • Domain Name:<dns_zone.local>
    • IP of Master:
    • Authoritative: Enable/Disable

You will then to add an SRV record, as well as identify the source IP address if your Master DNS is over VPN;

  • Connect to FortiGate CLI
  • Add SRV record
config system dns-database
edit "<dns_zone>"
set forwarder "<IP of Master DNS>"
  • Specify source IP
config system dns-database
edit "<dns_zone>"
set source-ip "<IP of FortiGate>"

Add the DNS service to the Interface

  • Go to System > Network > DNS Servers and Create a new DNS Service.
  • Interface:<Interface users will connect to>
  • Mode: Recursive


You can test the new DNS service works by running a ping through your FortiGate CLI

execute ping-options source <interface IP address>
execute ping <FQDN of a server in the new DNS zone>

Potential Issues

The interface your users connect to may be set to use the “Same as System DNS”. If you use external DNS servers this means your users will not benefit from the changes we have just made.

To fix this change the interface settings to be “Same as Interface IP”, this now means users will get the Interface IP as their DNS server, and will benefit from all DNS Database changes we make on the FortiGate

Share to TwitterShare to FacebookShare to LinkedinShare to PocketCopy URL address
Written by

Sam Perrin@samperrin

Automation Consultant, currently working at Xtravirt. Interested in all things automation/devops related.

Related Posts