Skip to main content
smartgate
smartgate
Visitor III
January 13, 2025
Question

fortigate "foward traffic" Accept : DNS Error

  • January 13, 2025
  • 3 replies
  • 1825 views

When checking the log in the fortigate forward traffic menu, the message Accept: DNS Error appears.

In what cases does this occur?

Deny : DNS Error is We know that DNS Error can be caused by problems such as incorrect responses from the DNS server.

But how should we understand Accept?

The DNS server is an internal server, and is currently causing problems when using certain services.

 

3 replies

AEK
SuperUser
AEK
SuperUser
January 13, 2025

I guess your DNS server is responding with an error message, and FortiGate policy is just accepting this response, and FortiGate could read in the DNS response that it is actually a DNS error message.

It's like when FortiGate accepts a valid response from the DNS server.

So I guess the DNS response that contains and error message is from the server and has nothing to do with FortiGate.

AEK
smartgate
smartgateAuthor
Visitor III
January 13, 2025

Thank you for your reply.

I checked the traffic through debug, but found nothing unusual. But let's check again through wireshark.

 

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
January 13, 2025

Hi @smartgate ,

 

There is an article outside of Fortinet Community explains it well:

https://www.brg.ch/fortigate-deny-dns-error-2/

 

And there is also a Fortinet KB about it:

https://community.fortinet.com/t5/FortiGate/Technical-Note-Deny-DNS-error-and-Deny-IP-connection-error/ta-p/192860?externalID=FD39982

smartgate
smartgateAuthor
Visitor III
January 13, 2025

Thank you for your reply. but You didn't read my post properly.

I already know that, and what I'm curious about is Accept:DNS Error, not Deny:DNS Error.

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
January 13, 2025

Hi @smartgate ,

 

It's the same thing about the "DNS Error" part.  "Accept" part means the traffic is accepted by the firewall policy.

AEK
SuperUser
AEK
SuperUser
January 13, 2025

On your client host, what do you get when you try nslookup query?

Is a valid response generates the same DNS Error log on FGT traffic log?

Also on your DNS server try to check the DNS logs if you can find any error log associated with the mentioned error.

AEK
Terms & ConditionsAccessibility statement