Troubleshooting Tip: DNS filter is giving rating errors, even though there is connectivity to the SDNS servers

When looking at the logs for the DNS filter, and queries are getting blocked due to rating errors, this is usually a network related issue. If it is possible to see the SDNS server reply in a PCAP/sniffer and this error is still seen, the FortiGate may be hitting a unique scenario.

The way that the FortiGate receives DNS ratings is via a TXT record included on the DNS response from the SDNS server.

The following screenshot is an example of this response, with the TXT record included:

The following is an example of the response in a non-working scenario:

It is possible to see that the TXT record is missing. This can be caused if the ISP or a device in between the FortiGate and the internet are doing some sort of DNS inspection, and are stripping this record off the response.