Skip to main content
lsaroukhani
Staff
lsaroukhani
Staff
November 30, 2022

Technical Tip: DNS queries are not sent to DNS forwarders or system DNS servers

  • November 30, 2022
  • 0 replies
  • 11729 views

Description

 

This article describes the need to keep the authoritative 'DISABLED' in dns-database to resolve a domain.

The use case of source-ip in this context will be discussed at the end. 

 

Scope

 

FortiGate.

 

Solution

 

If dns-databse configured with the domain 'example.com' and this FQDN is not resolvable from FortiGate or by the user's device, make sure that authoritative is 'DISABLED'.

 

If the authoritative is 'ENABLED', FortiGate does not send the DNS request for 'example.com' to the DNS forwarders or System DNS servers even when it does not have the entry. FortiGate will assume that the entry does not exist and will not return any address.

 

In this scenario, FortiGuard DNS servers are set  as System DNS, and there are no DNS forwarders:

 

config system dns

    set primary 96.45.45.45

    set secondary 96.45.46.46

end

 

config system dns-database

    edit "Example"

        set status enable

        set domain "example.com"

        set type primary

        set view shadow

        set ttl 86400

        set authoritative disable

        unset forwarder

        set source-ip 0.0.0.0


A domain is resolved while an authoritative server is disabled. FortiGate sends the DNS query to the System DNS server at 96.45.45.45:53.

 

FortiGate-61F # execute ping example.com

PING example.com (93.184.216.34): 56 data bytes


DNSProxy debugs:

 

diagnose debug disable 

diagnose debug reset

diagnose debug application dnsproxy -1
diagnose debug enable


To stop debugs:


diagnose debug disable

diagnose debug reset 

 

 [worker 0] dns_send_resol_request()-1234: orig id: 0x0000 local id: 0x801c domain=example.com

 [worker 0] dns_find_best_server()-593: found server: 96.45.45.45 (vfid=0 vrf=0)

 [worker 0] dns_udp_forward_request()-1060: vdom=root req_type=1 domain=example.com oif=0

 [worker 0] dns_udp_forward_request()-1180: Send 29B to [96.45.45.45]:53 via fd=19 request:1

 

Wireshark pcap filtered for dns.qry.name == 'example.com':

 

lsaroukhani_0-1669766662021.png


If the authority is set to 'ENABLED': No domain is resolved and a Ping gives the message 'Unable to resolve hostname'.

 

config system dns-database

    edit "Example"

        set authoritative enable <-----

 

FortiGate-61F # execute ping example.com

Unable to resolve hostname.

 

Wireshark pcap filtered for dns.qry.name == 'example.com' does not have any output.

 

The difference in DNSProxy debug results filtered by 'example.com':

Working:

 

           [worker 0] dns_local_lookup()-2476: vfid=0, real_vfid=0, qname=example.com, qtype=1, qclass=1, offset=29, map#=2 max_sz=512

    [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=example.com

[worker 0] dns_local_lookup()-2528: found zone=Example domain=example.com

[worker 0] dnsentry_search()-506: domain=example.com, name=example.com, type=1

[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=1

[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=5

[worker 0] dns_send_resol_request()-1234: orig id: 0x0000 local id: 0x801c domain=example.com

[worker 0] dns_udp_forward_request()-1060: vdom=root req_type=1 domain=example.com oif=0

[worker 0] dns_query_handle_response()-2580: vfid=0 real_vfid=0 vrf=0 id=0x801c domain=example.com pktlen=183

[worker 0] dns_query_save_response()-2561: domain=example.com pktlen=183

[worker 0] dns_set_min_ttl()-188: QR: example.com

[worker 0] hostname_entry_insert()-143: af=2 domain=example.com

[worker 0] dns_send_response()-1543: domain=example.com reslen=183

[worker 0] dns_query_delete()-566: orig id:0x0000 local id:0x801c domain=example.com active

 

Non-working:

 

                     [worker 0] dns_local_lookup()-2476: vfid=0, real_vfid=0, qname=example.com, qtype=1, qclass=1, offset=29, map#=2 max_sz=512

          [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=example.com

          [worker 0] dns_local_lookup()-2528: found zone=Example domain=example.com

          [worker 0] dnsentry_search()-506: domain=example.com, name=example.com, type=1

          [worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=1

          [worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=5

          [worker 0] dns_query_save_response()-2561: domain=example.com pktlen=29

          [worker 0] dns_send_response()-1543: domain=example.com reslen=29

          [worker 0] dns_query_delete()-566: orig id:0x0000 local id:0x0000 domain=example.com non-active

 

Use case of source-ip in dns-database (see this article: Technical Tip: How to control/change the FortiGate source IP for self-generated traffic).

 

If this DNS request should be sent to DNS forwarders or the Local DNS servers, either via the local network or VPN:

  • Again, make sure that authoritative is 'DISABLED'.
  • It may also be necessary to specify the source IP for the DNS database. The VPN needs to have the required phase2 selector and route to send the traffic via tunnel:

 

config system dns-database

    edit "Example"

        set source-ip x.x.x.x

end

 

  • If the source IP is not specified, FortiGate will use the interface IP that has the least index for this locally generated traffic.
  • The interface's index can be checked by running the following command:

 

diagnose ip address list

 

Note: Only FortiOS v7.6.x allows for 'system dns-database' to configure an outgoing interface or follow the SD-WAN rules:

 

config system dns-database

    edit "Example"

        set source-ip x.x.x.x

        set interface-select-method [auto|sdwan|specify]

        set interface [string]

end

 

Related articles: 

Technical Tip: DNS conditional forwarding

Technical Tip: Different options of configuring DNS server on FortiGate

    Terms & ConditionsAccessibility statement