Description
This article describes how hostnames (A-records in this example), are resolved using the DNS servers configured on the FortiGate.
Scope
FortiGate.
Solution
The below screenshot is taken from Network -> DNS.
FortiGate is using FortiGuard servers along with dynamically obtained DNS servers (from ISP) as DNS servers.
To find which DNS server is used by the FortiGate to resolve hostnames, sniffer, and debugs will help to identify the DNS server used.
In a separate window, an ICMP echo request has been sent to 'www.amsterdam.com'.
The sniffer shows that the DNS query has been sent to FortiGuard DNS server 208.91.112.53.53 to resolve the hostname into an IP address.
diagnose sniffer packet any "port 53" 4 0 a
interfaces=[any]filters=[port 53]2020-09-02 17:31:24.657517 wan1 out 192.168.0.230.1367 -> 208.91.112.53.53: udp 352020-09-02 17:31:24.763335 wan1 in 208.91.112.53.53 -> 192.168.0.230.1367: udp 2682 packets received by filter0 packets dropped by kerneldiag debug application dnsproxy -1
diag debug console timestamp enable
diag debug enable
2020-09-02 10:38:39 [worker 0] batch_on_read()-28572020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-27832020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-2814: vd-0:0 received a req with 35 bytes (non_block=0 non_cache=0)2020-09-02 10:38:39 [worker 0] handle_dns_request()-1778: id:0x0000 pktlen=35, qr=0 req_type=12020-09-02 10:38:39 [worker 0] get_intf_policy()-1101: ifindex=02020-09-02 10:38:39 [worker 0] dns_parse_message()-6072020-09-02 10:38:39 [worker 0] dns_local_lookup()-2233: vfid=0 qname=www.amsterdam.com, qtype=1, qclass=1, offset=35, map#=3 max_sz=5122020-09-02 10:38:39 [worker 0] dns_lookup_aa_zone()-496: vfid=0, fqdn=www.amsterdam.com2020-09-02 10:38:39 [worker 0] dns_forward_request()-11222020-09-02 10:38:39 [worker 0] dns_send_resol_request()-977: orig id: 0x0000 local id: 0x8045 domain=www.amsterdam.com2020-09-02 10:38:39 [worker 0] dns_find_best_server()-522: vfid=0 profiled=0 last server:2020-09-02 10:38:39 [worker 0] dns_udp_forward_request()-833: vdom=root req_type=1 domain=www.amsterdam.com tls=02020-09-02 10:38:39 [worker 0] dns_udp_forward_request()-935: Send 35B to [208.91.112.53]:53 via fd=21 request:12020-09-02 10:38:39 [worker 0] unix_receive_request_stub()-27832020-09-02 10:38:39 [worker 0] batch_on_read()-28572020-09-02 10:38:39 [worker 0] udp_receive_response()-27192020-09-02 10:38:39 [worker 0] udp_receive_response()-2742: vd-0: len=113, addr=208.91.112.53:532020-09-02 10:38:39 [worker 0] dns_query_handle_response()-2151: id:0x8045 domain=www.amsterdam.com pktlen=1132020-09-02 10:38:39 [worker 0] dns_query_save_response()-2132: domain=www.amsterdam.com pktlen=1132020-09-02 10:38:39 [worker 0] dns_cache_response()-250: Response is error (3) will not cache.2020-09-02 10:38:39 [worker 0] dns_forward_response()-13342020-09-02 10:38:39 [worker 0] dns_secure_forward_response()-1293: category=255 profile=none2020-09-02 10:38:39 [worker 0] dns_send_response()-1273: domain=www.amsterdam.com reslen=1132020-09-02 10:38:39 [worker 0] __dns_udp_forward_response()-11562020-09-02 10:38:39 [worker 0] __dns_udp_forward_response()-1168: vd-0 Send 113B via fd=26, family=12020-09-02 10:38:39 [worker 0] dns_query_delete()-427: orgi id:0x0000 local id:0x8045 active2020-09-02 10:38:39 [worker 0] udp_receive_response()-2719Another ICMP echo request has been sent to 'www.paris.com'.
This time the DNS query has been sent to the dynamically obtained DNS server 192.168.0.1 of the ISP connection on the wan1 interface.
diagnose sniffer packet any "port 53" 4 0 a
interfaces=[any]filters=[port 53]2020-09-02 17:31:24.867515 wan1 out 192.168.0.230.1367 -> 192.168.0.1.53: udp 432020-09-02 17:31:24.884953 wan1 in 192.168.0.1.53 -> 192.168.0.230.1367: udp 2762 packets received by filter0 packets dropped by kernel2020-09-02 10:39:04 [worker 0] batch_on_read()-28572020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-27832020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-2814: vd-0:0 received a req with 31 bytes (non_block=0 non_cache=0)2020-09-02 10:39:04 [worker 0] handle_dns_request()-1778: id:0x0000 pktlen=31, qr=0 req_type=12020-09-02 10:39:04 [worker 0] get_intf_policy()-1101: ifindex=02020-09-02 10:39:04 [worker 0] dns_parse_message()-6072020-09-02 10:39:04 [worker 0] dns_local_lookup()-2233: vfid=0 qname=www.paris.com, qtype=1, qclass=1, offset=31, map#=3 max_sz=5122020-09-02 10:39:04 [worker 0] dns_lookup_aa_zone()-496: vfid=0, fqdn=www.paris.com2020-09-02 10:39:04 [worker 0] dns_forward_request()-11222020-09-02 10:39:04 [worker 0] dns_send_resol_request()-977: orig id: 0x0000 local id: 0xa00e domain=www.paris.com2020-09-02 10:39:04 [worker 0] dns_find_best_server()-522: vfid=0 profiled=0 last server:2020-09-02 10:39:04 [worker 0] dns_udp_forward_request()-833: vdom=root req_type=1 domain=www.paris.com tls=02020-09-02 10:39:04 [worker 0] dns_udp_forward_request()-935: Send 31B to [192.168.0.1]:53 via fd=21 request:12020-09-02 10:39:04 [worker 0] unix_receive_request_stub()-27832020-09-02 10:39:04 [worker 0] batch_on_read()-28572020-09-02 10:39:04 [worker 0] udp_receive_response()-27192020-09-02 10:39:04 [worker 0] udp_receive_response()-2742: vd-0: len=79, addr=192.168.0.1:532020-09-02 10:39:04 [worker 0] dns_query_handle_response()-2151: id:0xa00e domain=www.paris.com pktlen=792020-09-02 10:39:04 [worker 0] dns_query_save_response()-2132: domain=www.paris.com pktlen=792020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-183: QR: www.paris.com2020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-191: Offset of 1st RR: 31 Number of RR's: 32020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 3002020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 3002020-09-02 10:39:04 [worker 0] dns_set_min_ttl()-201: RR TTL: 3002020-09-02 10:39:04 [worker 0] dns_cache_response()-286: Min ttl = 3002020-09-02 10:39:04 [worker 0] dns_forward_response()-13342020-09-02 10:39:04 [worker 0] dns_secure_forward_response()-1293: category=255 profile=none2020-09-02 10:39:04 [worker 0] dns_visibility_log_hostname()-236: vd=0 pktlen=792020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com2020-09-02 10:39:04 [worker 0] hostname_entry_insert()-141: af=2 domain=www.paris.com2020-09-02 10:39:04 [worker 0] dns_send_response()-1273: domain=www.paris.com reslen=792020-09-02 10:39:04 [worker 0] __dns_udp_forward_response()-11562020-09-02 10:39:04 [worker 0] __dns_udp_forward_response()-1168: vd-0 Send 79B via fd=26, family=12020-09-02 10:39:04 [worker 0] dns_query_delete()-427: orgi id:0x0000 local id:0xa00e active2020-09-02 10:39:04 [worker 0] udp_receive_response()-2719In order to disable debugging on the FortiGate, the following commands are used.
diag debug disable
diag debug reset <----- The following command is very useful for troubleshooting DNS related issues on FortiGate.
diagnose test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy workerRelated Links.
Related documents:
Technical Note: FortiGate Troubleshooting DNS commands
system dns
FortiGate DNS server
Troubleshooting for DNS filter