Description
This article describes how to stop the unit from doing DNS lookups.
If the network is closed to the unit which does not communicate with the FortiGuard servers, stopping the DNS lookup queries is possible.
Solution
Sometimes this is necessary because this will in turn generate the many DNS lookup fail logs as there is no Internet connection to the FortiGate and so consume logs disk or memory space.
By design, there will be generated timeout log if a DNS request cannot be resolved.
That is how it can be figured out that the DNS service on the FortiGate is not working properly.
There are several settings that can be done on FortiGate to reduce the number of queries.
1) Disable the DNS filter in the logging setting:
# config log disk filter
set dns disable
end
* Starting v6.2, 'set dns disable' is not available. It is possible to exclude the DNS logs using the logid.
# config log disk filter
set filter "logid(The_ID_of_the_log)"
set filter-type exclude
end
The_ID_of_the_log is the ID that the log has. Below are two examples of how the logid can be:
0001000014
0000000013
For example:
# config log disk filter
set filter "logid(0001000014)"
set filter-type exclude
end
Also, it might be needed to exclude the logs from the memory or FortiAnalyzer, instead of the disk. In this case, replace the word: 'disk', with 'memory' or 'fortianalyzer', at the above command.
2) Unsetting the primary and secondary DNS servers:
# config system dns
set primary 0.0.0.0
set secondary 0.0.0.0
end
3) Disable 'Resolving Hostnames' in the log settings.
Verification:
- Check the DNS error logs under 'Forward traffic'.
- Run sniffer with DNS port 53 to check if DNS traffic is forwarded or not:
# diag sniffer packet any “udp port 53” 4 a
