Skip to main content
smaruvala
Staff
smaruvala
Staff
December 11, 2024

Technical Tip: Handling of the DNS Dynamic update packet by FortiGate in Proxy mode

  • December 11, 2024
  • 0 replies
  • 1305 views
Description This article explains how the FortiGate handles the DNS Dynamic update packet in proxy mode. This type of DNS packet is generated when a user executes the command 'ipconfig /registerdns'.
Scope FortiGate.
Solution
  • In Windows machines, the user can execute the command 'ipconfig /registerdns' to update the DNS records in the DNS server.
  • These DNS request packets will have an Opcode of 5 which indicates it as a DNS Dynamic update packet. Below is a screenshot of the sample output. 

 

dynamicupdate.png

 

  • When the FortiGate receives these packets, it will verify its cache first before forwarding the packet to the server.
  • If FortiGate finds the information in its cache, it will respond without forwarding the DNS request to the server. These response packets will be a complete packet but it will have incorrect information as it is a cached response.
  • This also negates the purpose of the DNS Dynamic update packet as the purpose is to inform the DNS server to update the records.
  • There is no command in the FortiGate to verify the cache information details which the FortiGate responds.
  • The application 'dnsproxyd' debug will show the below output which indicates that FortiGate is sending the cached response instead of forwarding the packets to the Server.

 

2024-11-21 07:02:18 [worker 0] udp_receive_redirect()-3276
2024-11-21 07:02:18 [worker 0] udp_receive_redirect()-3328: vd=0, vrf=0, intf=11, len=104, alen=16, 10.10.22.29:61228=>10.10.3.51
2024-11-21 07:02:18 [worker 0] handle_dns_request()-2489: vfid=0 real_vfid=0 id=0xc71e pktlen=104 qr=0 req_type=2
2024-11-21 07:02:18 [worker 0] dns_parse_message()-603
2024-11-21 07:02:18 [worker 0] dns_policy_find_by_idx()-2924: vfid=0 idx=1
2024-11-21 07:02:18 [worker 0] dns_secure_log_request()-1123: id:0xc71e pktlen=104 profile=Block-Security-Risk ifindex=11
2024-11-21 07:02:18 [worker 0] dns_secure_log_request()-1179: write to log: qname=xxxxxxxxxx qtype=6
2024-11-21 07:02:18 [worker 0] dns_profile_do_url_rating()-1992: vfid=0 profile=Block-Security-Risk category=255 domain=xxxxxxxxx
2024-11-21 07:02:18 [worker 0] botnet_domain_search()-2291: domain=xxxxxxxxxxx passed botnet check
2024-11-21 07:02:18 [worker 0] dns_profile_do_url_rating()-2088: request filter result for xxxxxxxxxxx (type=0 action=9)
2024-11-21 07:02:18 [worker 0] dns_send_cached_response()-1747: domain=xxxxxxxx
2024-11-21 07:02:18 [worker 0] dns_query_save_response()-2724: domain=xxxxxxxxx pktlen=101
2024-11-21 07:02:18 [worker 0] dns_adjust_ttl_values()-142
2024-11-21 07:02:18 [worker 0] dns_adjust_ttl_values()-145: Offset of 1st RR: 29
2024-11-21 07:02:18 [worker 0] dns_adjust_ttl_values()-147: Number of RR's: 4
2024-11-21 07:02:18 [worker 0] dns_adjust_ttl_values()-158: New ttl: 0
2024-11-21 07:02:18 [worker 0] dns_adjust_ttl_values()-158: New ttl: 0
2024-11-21 07:02:18 [worker 0] dns_adjust_ttl_values()-158: New ttl: 0
2024-11-21 07:02:18 [worker 0] dns_adjust_ttl_values()-158: New ttl: 1105
2024-11-21 07:02:18 [worker 0] dns_forward_response()-1720

 

This issue has been resolved in v7.4.8 and v7.6.3.
      Terms & ConditionsAccessibility statement