Description
Solution
This article describes a technical tip to prevent and/or troubleshoot “504 DNS lookup Failed” errors in case the Explicit Web Proxy feature is configured in a non-management VDOM.
Solution
When configured as an Explicit Web Proxy server, the FortiGate typically needs to perform Domain Name resolution in order to fulfill clients’ requests. To do so, the FortiGate relies on the DNS system settings which are configured in the “config system dns” section. This works fine when the Explicit Web Proxy feature is configured in the management VDOM (‘root’ VDOM by default) since this VDOM inherits the DNS settings configured globally.
In case the Explicit Web Proxy is configured in a non-management VDOM, the DNS configuration as defined in the “config system dns” section does not apply. As a result, browsing actions issued by the clients will end by default with a “504 DNS look up failed” error such as the following:
Bypassing the issue consists in configuring the DNS settings at the VDOM level (in the VDOM the Explicit Web Proxy feature is configured) so that the FortiGate can perform Domain Name resolution successfully. This can be done by using the “config system vdom-dns” section specific to the VDOM. At the minimum, DNS needs to be enabled for the VDOM using “set vdom-dns enable” and an IPv4 or IPv6 primary address defined using “set primary <dns_ipv4>” or “set ip6-primary <dns_ipv6>”.
config system vdom-dnsset ip6-primary <dns_ipv6>set ip6-secondary <dns_ip6>set primary <dns_ipv4>set secondary <dns_ip4>set source-ip <ipv4_addr>set vdom-dns {disable | enable}end
