- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate DNS Master to Slave database?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate DNS Master to Slave database?
I can't find anything on this by searching, but is it possible for another Fortigate to pull down DNS records from a master DNS database on another Fortigate?
Basically I have a 300c running a master DNS database (this works fine, resolves as intended) at my main location. I want my Fortigates (80d, but varies) at secondary locations to pull down these records so that I don't have to enter them all manually at 20+ sites.
On my 80d I created a new DNS database, set it to 'slave', view 'shadow', the same dns zone as my master, the same domain name, gave it the IP of my 300c master, authoritative to 'disable'. The number of entries never populates and I can't find a CLI command to try and 'download' them, nor does a lookup ever resolve this way. However, if I change the system DNS, or change the DNS handed out to DHCP clients, to my master it will resolve fine. So DNS is working, I just don't want to have 300 pc's pinging back to 1 device for every single DNS lookup.
On my 300c master I set type to 'master', view to 'shadow', hostname the hostname of the devices, authoritative 'enabled' (tried disabled, didn't matter).
If this doesn't work I'll go about it another way. There is no AD or other authentication currently, hence why the attempts to use the Fortigate in the meantime.
Labels:
- Labels:
-
5.0
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think your slave might be looking up the "zone" by dns to find the master and attempting the zone-xfer. Is your zone internal zone only ( I'm assuming yes since you stated shadow)
What's your " set domain xxxxx set as? is the set defined ip-master ipv4 address correct?
Is the interfaces correct ?
What happen when you issues a diag test application dnsproxy 9 or a diag test application dnsproxy 8
I would also set a diag sniffer packet any "host x.x.x.x" where x.x.x.x == the master and run the above commands
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:I think your slave might be looking up the "zone" by dns to find the master and attempting the zone-xfer. Is your zone internal zone only ( I'm assuming yes since you stated shadow)
What's your " set domain xxxxx set as? is the set defined ip-master ipv4 address correct?
Is the interfaces correct ?
What happen when you issues a diag test application dnsproxy 9 or a diag test application dnsproxy 8
I would also set a diag sniffer packet any "host x.x.x.x" where x.x.x.x == the master and run the above commands
Thanks for your response! I admit to not knowing very much about DNS (although quickly learning trying to diagnose this!), so I'll try to answer as best I can.
If my slave is looking up the "zone" by DNS, I can't figure out how exactly that would work? I can't exactly enter in a record that tells my unit the FQDN of my master, because then the slave/master dns databases clash. This may not be what your asking about though. And yes this zone is internal, I honestly am not sure if the zone name really matters? I've not had to set it before.
Not sure I understand this exactly. My domain (lets use test.example.org) is set the same on both units, and yes the IP of the master is correctly set on my secondary (they can ping each other ok).
When running those commands I can get responses on port 53 on my master to port 1211 on my secondary, and vice versa. Also get ack, psh, fin, packets.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the slave pulls from the master, I would 1st
1: reload the DB on the salve
2: run a pcap during the above with the filters set "src host x.x.x.x and port 53"
x.x.x.x = master ipv4 addr
3: see if a DNS transfer request comes thru
4: I would query the master zone.db and review all NS records ( unix host cmd host -v -t ns domain.com x.x.x.x )
x.x.x.x = the master dns-server address and interface on the master
5: the interface that you expects axfer to happen must have and grant access, so #4 could probably use a diag debug flow
Check those out and see what happens.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- NO internet connection when using static... 178 Views
- VECTRA AI and Fortigate Integration 70 Views
- Routing Issue on FortiGate 7.2.8 289 Views
- Trouble Receiving DHCP Packet Over S2S... 291 Views
- Fortigate 3600C HA issue and it's... 167 Views
Labels
-
FortiGate
6,536 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.