| Description |
This article describes the workaround to use in case of DNS error logs showing in FortiAnalyzer. |
| Scope |
This is an expected behavior where the firewall logs any invalid DNS traffic. The firewall action itself is allow/pass, but the bad reply from the server is not forwarded back to the requesting client thus showing the 'Deny: DNS Error' message.
Invalid DNS traffic would be UDP packets on port 53 that are not DNS traffic, packets which are oversized, bad checksum etc.
It can happen that the information expected by the security policy is not contained in the header/payload of the packet and that is when the packet is denied or dropped.
Session helper for DNS is not mandatory for which reason you can delete it and it should work properly after. |
| Solution |
Workaround:
- Identify DNS session helper entry ID.
# show system session-helper
- Delete DNS session helper entry.
# config system session-helper delete <id> end
The same can be accomplished in FortiGate with following commands:
# config log fortianalyzer filter config free-style edit 0 set filter-type exclude set filter "logid 0000000011" end end
Related articles: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/318199/disabling-a-session-helper |
