Description
This article describes how hostnames (A-records in this example), are resolved using the DNS servers configured on the FortiGate.
Scope
FortiGate.
Solution
The below screenshot is taken from Network -> DNS.
FortiGate is using FortiGuard servers along with dynamically obtained DNS servers (from ISP) as DNS servers.
To find which DNS server is used by the FortiGate to resolve hostnames, sniffer, and debugs will help to identify the DNS server used.
In a separate window, an ICMP echo request has been sent to 'www.amsterdam.com'.
In a separate window, an ICMP echo request has been sent to 'www.amsterdam.com'.
The sniffer shows that the DNS query has been sent to FortiGuard DNS server 208.91.112.53.53 to resolve the hostname into an IP address.
diagnose sniffer packet any "port 53" 4 0 a
interfaces=[any]
filters=[port 53]
2020-09-02 17:31:24.657517 wan1 out 192.168.0.230.1367 -> 208.91.112.53.53: udp 35
2020-09-02 17:31:24.763335 wan1 in 208.91.112.53.53 -> 192.168.0.230.1367: udp 268
2 packets received by filter
0 packets dropped by kernel
diag debug application dnsproxy -1
diag debug console timestamp enable
diag debug enable
2020-09-02 10:38:39 [worker 0] batch_on_read()-2857
2020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-2814: vd-0:0 received a req with 35 bytes (non_block=0 non_cache=0)
2020-09-02 10:38:39 [worker 0] handle_dns_request()-1778: id:0x0000 pktlen=35, qr=0 req_type=1
2020-09-02 10:38:39 [worker 0] get_intf_policy()-1101: ifindex=0
2020-09-02 10:38:39 [worker 0] dns_parse_message()-607
2020-09-02 10:38:39 [worker 0] dns_local_lookup()-2233: vfid=0 qname=www.amsterdam.com, qtype=1, qclass=1, offset=35, map#=3 max_sz=512
2020-09-02 10:38:39 [worker 0] dns_lookup_aa_zone()-496: vfid=0, fqdn=www.amsterdam.com
2020-09-02 10:38:39 [worker 0] dns_forward_request()-1122
2020-09-02 10:38:39 [worker 0] dns_send_resol_request()-977: orig id: 0x0000 local id: 0x8045 domain=www.amsterdam.com
2020-09-02 10:38:39 [worker 0] dns_find_best_server()-522: vfid=0 profiled=0 last server:
2020-09-02 10:38:39 [worker 0] dns_udp_forward_request()-833: vdom=root req_type=1 domain=www.amsterdam.com tls=0
2020-09-02 10:38:39 [worker 0] dns_udp_forward_request()-935: Send 35B to [208.91.112.53]:53 via fd=21 request:1
2020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:38:39 [worker 0] batch_on_read()-2857
2020-09-02 10:38:39 [worker 0] udp_receive_response()-2719
2020-09-02 10:38:39 [worker 0] udp_receive_response()-2742: vd-0: len=113, addr=208.91.112.53:53
2020-09-02 10:38:39 [worker 0] dns_query_handle_response()-2151: id:0x8045 domain=www.amsterdam.com pktlen=113
2020-09-02 10:38:39 [worker 0] dns_query_save_response()-2132: domain=www.amsterdam.com pktlen=113
2020-09-02 10:38:39 [worker 0] dns_cache_response()-250: Response is error (3) will not cache.
2020-09-02 10:38:39 [worker 0] dns_forward_response()-1334
2020-09-02 10:38:39 [worker 0] dns_secure_forward_response()-1293: category=255 profile=none
2020-09-02 10:38:39 [worker 0] dns_send_response()-1273: domain=www.amsterdam.com reslen=113
2020-09-02 10:38:39 [worker 0] __dns_udp_forward_response()-1156
2020-09-02 10:38:39 [worker 0] __dns_udp_forward_response()-1168: vd-0 Send 113B via fd=26, family=1
2020-09-02 10:38:39 [worker 0] dns_query_delete()-427: orgi id:0x0000 local id:0x8045 active
2020-09-02 10:38:39 [worker 0] udp_receive_response()-2719Another ICMP echo request has been sent to 'www.paris.com'.
interfaces=[any]
filters=[port 53]
2020-09-02 17:31:24.657517 wan1 out 192.168.0.230.1367 -> 208.91.112.53.53: udp 35
2020-09-02 17:31:24.763335 wan1 in 208.91.112.53.53 -> 192.168.0.230.1367: udp 268
2 packets received by filter
0 packets dropped by kernel
diag debug application dnsproxy -1
diag debug console timestamp enable
diag debug enable
2020-09-02 10:38:39 [worker 0] batch_on_read()-2857
2020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-2814: vd-0:0 received a req with 35 bytes (non_block=0 non_cache=0)
2020-09-02 10:38:39 [worker 0] handle_dns_request()-1778: id:0x0000 pktlen=35, qr=0 req_type=1
2020-09-02 10:38:39 [worker 0] get_intf_policy()-1101: ifindex=0
2020-09-02 10:38:39 [worker 0] dns_parse_message()-607
2020-09-02 10:38:39 [worker 0] dns_local_lookup()-2233: vfid=0 qname=www.amsterdam.com, qtype=1, qclass=1, offset=35, map#=3 max_sz=512
2020-09-02 10:38:39 [worker 0] dns_lookup_aa_zone()-496: vfid=0, fqdn=www.amsterdam.com
2020-09-02 10:38:39 [worker 0] dns_forward_request()-1122
2020-09-02 10:38:39 [worker 0] dns_send_resol_request()-977: orig id: 0x0000 local id: 0x8045 domain=www.amsterdam.com
2020-09-02 10:38:39 [worker 0] dns_find_best_server()-522: vfid=0 profiled=0 last server:
2020-09-02 10:38:39 [worker 0] dns_udp_forward_request()-833: vdom=root req_type=1 domain=www.amsterdam.com tls=0
2020-09-02 10:38:39 [worker 0] dns_udp_forward_request()-935: Send 35B to [208.91.112.53]:53 via fd=21 request:1
2020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:38:39 [worker 0] batch_on_read()-2857
2020-09-02 10:38:39 [worker 0] udp_receive_response()-2719
2020-09-02 10:38:39 [worker 0] udp_receive_response()-2742: vd-0: len=113, addr=208.91.112.53:53
2020-09-02 10:38:39 [worker 0] dns_query_handle_response()-2151: id:0x8045 domain=www.amsterdam.com pktlen=113
2020-09-02 10:38:39 [worker 0] dns_query_save_response()-2132: domain=www.amsterdam.com pktlen=113
2020-09-02 10:38:39 [worker 0] dns_cache_response()-250: Response is error (3) will not cache.
2020-09-02 10:38:39 [worker 0] dns_forward_response()-1334
2020-09-02 10:38:39 [worker 0] dns_secure_forward_response()-1293: category=255 profile=none
2020-09-02 10:38:39 [worker 0] dns_send_response()-1273: domain=www.amsterdam.com reslen=113
2020-09-02 10:38:39 [worker 0] __dns_udp_forward_response()-1156
2020-09-02 10:38:39 [worker 0] __dns_udp_forward_response()-1168: vd-0 Send 113B via fd=26, family=1
2020-09-02 10:38:39 [worker 0] dns_query_delete()-427: orgi id:0x0000 local id:0x8045 active
2020-09-02 10:38:39 [worker 0] udp_receive_response()-2719Another ICMP echo request has been sent to 'www.paris.com'.
This time the DNS query has been sent to the dynamically obtained DNS server 192.168.0.1 of the ISP connection on the wan1 interface.
diagnose sniffer packet any "port 53" 4 0 a
interfaces=[any]
filters=[port 53]
2020-09-02 17:31:24.867515 wan1 out 192.168.0.230.1367 -> 192.168.0.1.53: udp 43
2020-09-02 17:31:24.884953 wan1 in 192.168.0.1.53 -> 192.168.0.230.1367: udp 276
2 packets received by filter
0 packets dropped by kernel
2020-09-02 10:39:04 [worker 0] batch_on_read()-2857
2020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-2814: vd-0:0 received a req with 31 bytes (non_block=0 non_cache=0)
2020-09-02 10:39:04 [worker 0] handle_dns_request()-1778: id:0x0000 pktlen=31, qr=0 req_type=1
2020-09-02 10:39:04 [worker 0] get_intf_policy()-1101: ifindex=0
2020-09-02 10:39:04 [worker 0] dns_parse_message()-607
2020-09-02 10:39:04 [worker 0] dns_local_lookup()-2233: vfid=0 qname=www.paris.com, qtype=1, qclass=1, offset=31, map#=3 max_sz=512
2020-09-02 10:39:04 [worker 0] dns_lookup_aa_zone()-496: vfid=0, fqdn=www.paris.com
2020-09-02 10:39:04 [worker 0] dns_forward_request()-1122
2020-09-02 10:39:04 [worker 0] dns_send_resol_request()-977: orig id: 0x0000 local id: 0xa00e domain=www.paris.com
2020-09-02 10:39:04 [worker 0] dns_find_best_server()-522: vfid=0 profiled=0 last server:
2020-09-02 10:39:04 [worker 0] dns_udp_forward_request()-833: vdom=root req_type=1 domain=www.paris.com tls=0
2020-09-02 10:39:04 [worker 0] dns_udp_forward_request()-935: Send 31B to [192.168.0.1]:53 via fd=21 request:1
2020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:39:04 [worker 0] batch_on_read()-2857
2020-09-02 10:39:04 [worker 0] udp_receive_response()-2719
2020-09-02 10:39:04 [worker 0] udp_receive_response()-2742: vd-0: len=79, addr=192.168.0.1:53
2020-09-02 10:39:04 [worker 0] dns_query_handle_response()-2151: id:0xa00e domain=www.paris.com pktlen=79
2020-09-02 10:39:04 [worker 0] dns_query_save_response()-2132: domain=www.paris.com pktlen=79
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-183: QR: www.paris.com
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-191: Offset of 1st RR: 31 Number of RR's: 3
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 300
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 300
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 300
2020-09-02 10:39:04 [worker 0] dns_cache_response()-286: Min ttl = 300
2020-09-02 10:39:04 [worker 0] dns_forward_response()-1334
2020-09-02 10:39:04 [worker 0] dns_secure_forward_response()-1293: category=255 profile=none
2020-09-02 10:39:04 [worker 0] dns_visibility_log_hostname()-236: vd=0 pktlen=79
2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com
2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com
2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com
2020-09-02 10:39:04 [worker 0] dns_send_response()-1273: domain=www.paris.com reslen=79
2020-09-02 10:39:04 [worker 0] __dns_udp_forward_response()-1156
2020-09-02 10:39:04 [worker 0] __dns_udp_forward_response()-1168: vd-0 Send 79B via fd=26, family=1
2020-09-02 10:39:04 [worker 0] dns_query_delete()-427: orgi id:0x0000 local id:0xa00e active
2020-09-02 10:39:04 [worker 0] udp_receive_response()-2719In order to disable debugging on the FortiGate, the following commands are used.
interfaces=[any]
filters=[port 53]
2020-09-02 17:31:24.867515 wan1 out 192.168.0.230.1367 -> 192.168.0.1.53: udp 43
2020-09-02 17:31:24.884953 wan1 in 192.168.0.1.53 -> 192.168.0.230.1367: udp 276
2 packets received by filter
0 packets dropped by kernel
2020-09-02 10:39:04 [worker 0] batch_on_read()-2857
2020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-2814: vd-0:0 received a req with 31 bytes (non_block=0 non_cache=0)
2020-09-02 10:39:04 [worker 0] handle_dns_request()-1778: id:0x0000 pktlen=31, qr=0 req_type=1
2020-09-02 10:39:04 [worker 0] get_intf_policy()-1101: ifindex=0
2020-09-02 10:39:04 [worker 0] dns_parse_message()-607
2020-09-02 10:39:04 [worker 0] dns_local_lookup()-2233: vfid=0 qname=www.paris.com, qtype=1, qclass=1, offset=31, map#=3 max_sz=512
2020-09-02 10:39:04 [worker 0] dns_lookup_aa_zone()-496: vfid=0, fqdn=www.paris.com
2020-09-02 10:39:04 [worker 0] dns_forward_request()-1122
2020-09-02 10:39:04 [worker 0] dns_send_resol_request()-977: orig id: 0x0000 local id: 0xa00e domain=www.paris.com
2020-09-02 10:39:04 [worker 0] dns_find_best_server()-522: vfid=0 profiled=0 last server:
2020-09-02 10:39:04 [worker 0] dns_udp_forward_request()-833: vdom=root req_type=1 domain=www.paris.com tls=0
2020-09-02 10:39:04 [worker 0] dns_udp_forward_request()-935: Send 31B to [192.168.0.1]:53 via fd=21 request:1
2020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-2783
2020-09-02 10:39:04 [worker 0] batch_on_read()-2857
2020-09-02 10:39:04 [worker 0] udp_receive_response()-2719
2020-09-02 10:39:04 [worker 0] udp_receive_response()-2742: vd-0: len=79, addr=192.168.0.1:53
2020-09-02 10:39:04 [worker 0] dns_query_handle_response()-2151: id:0xa00e domain=www.paris.com pktlen=79
2020-09-02 10:39:04 [worker 0] dns_query_save_response()-2132: domain=www.paris.com pktlen=79
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-183: QR: www.paris.com
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-191: Offset of 1st RR: 31 Number of RR's: 3
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 300
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 300
2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 300
2020-09-02 10:39:04 [worker 0] dns_cache_response()-286: Min ttl = 300
2020-09-02 10:39:04 [worker 0] dns_forward_response()-1334
2020-09-02 10:39:04 [worker 0] dns_secure_forward_response()-1293: category=255 profile=none
2020-09-02 10:39:04 [worker 0] dns_visibility_log_hostname()-236: vd=0 pktlen=79
2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com
2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com
2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com
2020-09-02 10:39:04 [worker 0] dns_send_response()-1273: domain=www.paris.com reslen=79
2020-09-02 10:39:04 [worker 0] __dns_udp_forward_response()-1156
2020-09-02 10:39:04 [worker 0] __dns_udp_forward_response()-1168: vd-0 Send 79B via fd=26, family=1
2020-09-02 10:39:04 [worker 0] dns_query_delete()-427: orgi id:0x0000 local id:0xa00e active
2020-09-02 10:39:04 [worker 0] udp_receive_response()-2719In order to disable debugging on the FortiGate, the following commands are used.
diag debug disable
diag debug reset <----- The following command is very useful for troubleshooting DNS related issues on FortiGate.
diag debug reset <----- The following command is very useful for troubleshooting DNS related issues on FortiGate.
diagnose test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy workerRelated Links.
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy workerRelated Links.
Related documents:
Technical Note: FortiGate Troubleshooting DNS commands
system dns
FortiGate DNS server
Troubleshooting for DNS filter
