Technical Tip: Public Fortinet DNS unable to resolve domain name on Authoritative DNS server
| Description | This article describes how to use the FortiGuard DNS server for Domain Name resolution. Authoritative DNS servers that are not compliant with RFC 6891 (https://datatracker.ietf.org/doc/html/rfc6891) are returning FORMERR, SERVFAIL, or query times out. |
| Scope | FortiGuard Public DNS server. |
| Solution | Sample DNS response from FortiGuard DNS server:
Some public DNS servers as Google DNS server 8.8.8.8 or CloudFlare DNS server are using a workaround to resolve Domain Name hold on Authoritative DNS servers non RFC 6891 compliant.
DNS resolution example with Public FortiGuard DNS and Google DNS:
FortiGuard (Not resolved):
dig <DomainNameNotCompliantwithRFC6891> @208.91.112.52
<Truncated>
;; ->>EADER<<- opcode: QUERY, status: SERVFAIL, id: 49963 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
<Truncated>
Google (Resolved):
dig <DomainNameNotCompliantwithRFC6891> @8.8.8.8
<Truncated>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14604 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
<Truncated>
;; ANSWER SECTION: <DomainNameNotCompliantwithRFC6891> 3600 IN A
<Truncated>
To check if the Authoritative DNS server related to the domain name is compliant with RFC6891, go to the website:
To check if the remote authoritative servers are not EDNS-compliant:
Workaround: Configure DNS forwarding for the domain to use Google DNS:
config system dns-database
Use the below for more information about DNS conditional forwarding:Technical Tip: DNS conditional forwarding
To fix the issue, update the DNS software on Authoritative DNS servers that are not RFC 6891 compliant or use Google DNS. |
