Fortinet black logo

Administration Guide

DDNS

DDNS

If your external IP address changes regularly and you have a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

Caution
  • FortiGate does not support DDNS for pure TP mode.
  • FortiGate models 1000D and higher do not support DDNS in the GUI.

You can configure FortiGuard as the DDNS server using the GUI or CLI.

Sample topology

In this example, FortiGuard DDNS is enabled and the DDNS server is set to float-zone.com. Other DDNS server options include fortiddns.com and fortidyndns.com.

To configure FortiGuard DDNS service as a DDNS server in the GUI:
  1. Go to Network > DNS
  2. Enable FortiGuard DDNS.
  3. Select the Interface with the dynamic connection.
  4. Select the Server that you have an account with.
  5. Enter your Unique Location.

  6. Click Apply.
To configure the FortiGuard DDNS service as an IPv4 DDNS server in the CLI:
config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set server-type ipv4
        set ddns-domain "branch.float-zone.com"
        set addr-type ipv4
        set use-public-ip enable
        set monitor-interface "wan1"
    next
end
To configure the FortiGuard DDNS service as an IPv6 DDNS server in the CLI:
config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set server-type ipv6
        set ddns-domain "fgtatest001.float-zone.com"
        set addr-type ipv6
        set monitor-interface "wan1"
    next
end

DDNS servers other than FortiGuard

If you do not have a FortiGuard subscription, or want to use a different DDNS server, you can configure a DDNS server for each interface. Only the first configure port appears in the GUI.

The available commands vary depending on the selected DDNS server.

To configure DDNS servers other than FortiGuard in the CLI:
config system ddns
    edit <DDNS_ID>
        set monitor-interface <external_interface>
        set ddns-server <ddns_server_selection>
        set server-type {ipv4 | ipv6}
        set ddns-server-addr <address>
        set addr-type ipv6 {ipv4 | ipv6}
        ...
    next
end
To configure an IPv6 DDNS client with generic DDNS on port 3 in the CLI:
config system ddns
    edit 1
        set ddns-server genericDDNS
        set server-type ipv6
        set ddns-server-addr "2004:16:16:16::2" "16.16.16.2" "ddns.genericddns.com"
        set ddns-domain "test.com"
        set addr-type ipv6
        set monitor-interface "port3"
    next
end

Refresh DDNS IP addresses

When FortiGuard is the DDNS server, you can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured.

To configure FortiGate to refresh DDNS IP addresses in the CLI:
config system ddns
    edit 1
        set use-public-ip enable
        set update-interval seconds
    next
end

Disable cleartext

When clear-text is disabled, FortiGate uses the SSL connection to send and receive DDNS updates.

To disable cleartext and set the SSL certificate in the CLI:
config system ddns
    edit 2
        set clear-text disable
        set ssl-certificate <cert_name>
    next
end

DDNS update override

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDNS update of the A field every time even if the DHCP client does not request it. This allows support for the allow, ignore, and deny client‑updates options.

To enable DDNS update override in the CLI:
config system dhcp server
    edit 1
        set ddns-update enable
        set ddns-update-override enable
        set ddns-server-ip <ddns_server_ip>
        set ddns-zone <ddns_zone>
    next
end

Troubleshooting

To debug DDNS:
# diagnose debug application ddnscd -1
# diagnose debug enable
To check if a DDNS server is available:
# diagnose test application ddnscd 3

Not available:

FortiDDNS status:
ddns_ip=0.0.0.0, ddns_ip6=::, ddns_port=443 svr_num=0 domain_num=0

Available:

FortiDDNS status:
ddns_ip=208.91.113.230, ddns_ip6=::, ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

DDNS

If your external IP address changes regularly and you have a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

Caution
  • FortiGate does not support DDNS for pure TP mode.
  • FortiGate models 1000D and higher do not support DDNS in the GUI.

You can configure FortiGuard as the DDNS server using the GUI or CLI.

Sample topology

In this example, FortiGuard DDNS is enabled and the DDNS server is set to float-zone.com. Other DDNS server options include fortiddns.com and fortidyndns.com.

To configure FortiGuard DDNS service as a DDNS server in the GUI:
  1. Go to Network > DNS
  2. Enable FortiGuard DDNS.
  3. Select the Interface with the dynamic connection.
  4. Select the Server that you have an account with.
  5. Enter your Unique Location.

  6. Click Apply.
To configure the FortiGuard DDNS service as an IPv4 DDNS server in the CLI:
config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set server-type ipv4
        set ddns-domain "branch.float-zone.com"
        set addr-type ipv4
        set use-public-ip enable
        set monitor-interface "wan1"
    next
end
To configure the FortiGuard DDNS service as an IPv6 DDNS server in the CLI:
config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set server-type ipv6
        set ddns-domain "fgtatest001.float-zone.com"
        set addr-type ipv6
        set monitor-interface "wan1"
    next
end

DDNS servers other than FortiGuard

If you do not have a FortiGuard subscription, or want to use a different DDNS server, you can configure a DDNS server for each interface. Only the first configure port appears in the GUI.

The available commands vary depending on the selected DDNS server.

To configure DDNS servers other than FortiGuard in the CLI:
config system ddns
    edit <DDNS_ID>
        set monitor-interface <external_interface>
        set ddns-server <ddns_server_selection>
        set server-type {ipv4 | ipv6}
        set ddns-server-addr <address>
        set addr-type ipv6 {ipv4 | ipv6}
        ...
    next
end
To configure an IPv6 DDNS client with generic DDNS on port 3 in the CLI:
config system ddns
    edit 1
        set ddns-server genericDDNS
        set server-type ipv6
        set ddns-server-addr "2004:16:16:16::2" "16.16.16.2" "ddns.genericddns.com"
        set ddns-domain "test.com"
        set addr-type ipv6
        set monitor-interface "port3"
    next
end

Refresh DDNS IP addresses

When FortiGuard is the DDNS server, you can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured.

To configure FortiGate to refresh DDNS IP addresses in the CLI:
config system ddns
    edit 1
        set use-public-ip enable
        set update-interval seconds
    next
end

Disable cleartext

When clear-text is disabled, FortiGate uses the SSL connection to send and receive DDNS updates.

To disable cleartext and set the SSL certificate in the CLI:
config system ddns
    edit 2
        set clear-text disable
        set ssl-certificate <cert_name>
    next
end

DDNS update override

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDNS update of the A field every time even if the DHCP client does not request it. This allows support for the allow, ignore, and deny client‑updates options.

To enable DDNS update override in the CLI:
config system dhcp server
    edit 1
        set ddns-update enable
        set ddns-update-override enable
        set ddns-server-ip <ddns_server_ip>
        set ddns-zone <ddns_zone>
    next
end

Troubleshooting

To debug DDNS:
# diagnose debug application ddnscd -1
# diagnose debug enable
To check if a DDNS server is available:
# diagnose test application ddnscd 3

Not available:

FortiDDNS status:
ddns_ip=0.0.0.0, ddns_ip6=::, ddns_port=443 svr_num=0 domain_num=0

Available:

FortiDDNS status:
ddns_ip=208.91.113.230, ddns_ip6=::, ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com