Visitor III

Question

FortiGuard DNS issue

Forum|Forum|2 years ago
July 10, 2023
8 replies
19671 views

Recently ran into an issue where the Fortigate was providing incorrect IP addresses for requests to Microsoft domains. This led to certificate errors in outlook and browser connections to portal.azure.com.

There appears to be some Reddit evidence of other users also seeing this issue:

https://www.reddit.com/r/fortinet/comments/yuu50t/dns_issues_while_using_fortinet_dns_servers/

Looks like the same IP that we saw (93.174.121.39) and Certificate (SubName = gaia.iphost.gr)

As a work-around you can change your FW DNS settings to point to a 3rd party DNS provider, but curious if other people are seeing this and/or how to keep it from happening while using FortiGuard services for DNS. (I believe this is a requirement to leverage DNS filtering)

kgeorge

Staff

Hello,

Good day to you.

Please be advised that, our FortiGuard anycast DNS servers are cache-only DNS servers. They will query upstream authoritative name servers.

One possible reason is that for a short period, some external authoritative name servers in Europe region somehow did not return correct DNS records.

This is purely related to Microsoft resolving to incorrect IP and it is mostly a temporary issue.

Regards,

Klint George

mikes1979

New Member

This is, in my opinion, a poor response by Fortinet. It leans to a "not our fault" attitude, with a side helping of "not a big deal, after all it's 'mostly a temporary issue'", and a dash of "one possible reason" and "somehow", which is unacceptable. A proper response should contain exactly how it happened and what is being done to prevent such an incident again.

Gnester

New Member

We fought this all day yesterday. We're seeing this in about 25% of our Fortigates in the field, but nowhere else outside of Fortigate protected environments. Changing DNS in the Fortigate seemed to help, but was still not 100%.

Hours with Microsoft have relayed this back to ISP issues, from their perspective.

With a packet capture we were able to see the issue lies with DNS queries that go through o365filtering.com/azure-dns.info and azure-dns.org specifically. DNS queries outside those name servers were fine.

If this continues, I'll simply start blocking DNS traffic to *.azure-dns.* as a next step.

SupportKrg

New Member

Just came here to say we had the same issue on many of our FortiGates as well. Glad it's only DNS, was thinking this was much worst than FortiGates upstream DNS. Still should not happen.

FortiNooby

New Member

Has anyone had any success with this yet? I've tried some of the suggestions but am still having random issues. Mainly internal sites that use AzureAD for SSO. I tried a DNS filter to block *.azure-dns* like @Gnester suggested, but that just throws up a red screen saying it's been blocked. Perhaps I didn't do something correctly.

mikes1979

New Member

In my case the FortiGuard DNS feature did not respect my switching DNS from Fortinet to public DNS in the firewall. The only way I could completely solve the issue was to set my internal DNS servers to forward to public DNS and completely remove Fortigate from the equation.

SupportKrg

New Member

We rolled external public DNS and so far so good on our side.

travuselm

Explorer

DNS issue is related to the Bug ID 0898560
This issue is from the upstream DNS provider and Fortiguard is effected by this.

ChiefSec_FortinetAuthor

Visitor III

Is there anywhere I can lookup the details/status of that bug ID?

BHJ

New Member

Hi

This issue still exist.
When assigning Fortiguard DNS servers to clients, they still receive occasional, random replies to DNS lookups, where clients using 208.67.222.222 or 8.8.8.8 receive consistent replies.

Screenshot 2024-12-18 071654.png

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded