Last updated on August 9, 2019
Using a Dynamic Domain Name Service (DDNS) means that users can reach your network by means of a domain name that remains constant even when its IP address changes. FortiOS has supported this feature in Network – DNS settings – Fortiguard DDNS service, which sounds great. Unfortunately, it does not work well in my home lab environment. My FortiGate is behind ISP modem and WAN port is using private ip address 192.168.20.2.
1. FortiGuard DDNS service
When use baisc FortiGuard DDNS settings wthout enabling ‘Public IP Address”, my WAN ip (192.168.20.2) got updated with my defined subdomin 51sec.fortiddns.com in the Intenet. On this configuration page, you also got a warning message, “the interface has a private ip address (192.168.20.2) which may not be publicly accessible”.
In this example, the domain fortiddns.com is used. This domain is owned by Fortinet, as are the float-zone.comdomains and fortidyndns.com.
C:\Users\johny>nslookup Default Server: UnKnown Address: 184.108.40.206
> 51sec.fortiddns.com Server: [220.127.116.11] Address: 18.104.22.168 Non-authoritative answer: Name: 51sec.float-zone.com Address: 192.168.20.2
If enabled FortiGuard DDNS, the sub domain 51sec.fortiddns.com will not update in FortiGuard DDNS at all. Nslookup will show it is non-existent domain.
C:\Users\johny>nslookup Default Server: UnKnown Address: 22.214.171.124 > 51sec.fortiddns.com Server: [126.96.36.199] Address: 188.8.131.52 *** [184.108.40.206] can't find 51sec.fortiddns.com: Non-existent domain
2. NOIP.COM DDNS Service
Should we give up here? Lets check the CLI. You will find Fortigate has put all those populous DDNS provider into the configuration, but they are not showing in Web GUI.
FWF60D # config system ddns FWF60D (ddns) # edit 1 FWF60D (1) # set ddns-server dyndns.org members.dyndns.org and dnsalias.com dyns.net www.dyns.net tzo.com rh.tzo.com vavic.com Peanut Hull dipdns.net dipdnsserver.dipdns.com now.net.cn ip.todayisp.com dhs.org members.dhs.org easydns.com members.easydns.com genericDDNS Generic DDNS based on RFC2136. FortiGuardDDNS FortiGuard DDNS service. noip.com dynupdate.no-ip.com
Although there are 11 DDNS service provider listing in configuration, most of them have stopped working, even the website could not open. I found noip.com is still working although it requires confirmation every 30 days.
Here is my configuration for noip.com. After put your username and password in, enable use-public-ip and monitor-interface, you will find it magically works in your noip.com account.
FWF60D (ddns) # show config system ddns edit 1 set ddns-server noip.com set ddns-domain "51nec.ddns.net" set ddns-username "jonya" set ddns-password ENC 8T9QIraIpi5XMKlZpC0ZTTM3B9rJKv8VVGDhpXkLy3RxjnLGjfoO7stFRQsvIq/6Yp3vWq5Fvsu0QW4t9JScsfkZhDoblghYitftNWIapto0I+5RWVO5zR9vEjxZO0f/g+ZiDNs12IOfJMcJa1DGmM4t18BiVtcpO4t+xO8h0fi7/rsOvyksA== set use-public-ip enable set ssl-certificate '' set monitor-interface "wan1" next end
C:\Users\johny>nslookup Default Server: UnKnown Address: 192.168.2.1 > 51nec.ddns.net Server: UnKnown Address: 192.168.2.1 Non-authoritative answer: Name: 51nec.ddns.net Address: 220.127.116.11 >
Free noip account will give you three subdomains, and you will need to confirm it every 30 days. It will remind you in 7 days before it expired and deleted. I am trying to find a way to schedule a script to click this confirm button for me every 30 days.