Skip to main content
PaoloMitre
PaoloMitre
New Member
October 1, 2010
Question

FQDN resolution and dns cache

  • October 1, 2010
  • 8 replies
  • 43915 views
Hi everybody, I' ve had a problem with FQDN resolution in a FG 1000A. A policy didn' t work fine as the source address, specified by a FQDN, wasn' t resolved. I executed the diagnose command " diag test application dnsproxy 6" , that dumps the DNS proxy cache. I couldn' t see in the list the FQDN and its resolved IP. Then I executed the command " diag test application dnsproxy 4" that deletes and re-creates all FQDN addresses. After that, executing again the command " diag test application dnsproxy 6" , I could see the FQDN address and the resolved IP. Could anyone explain me what happened? Could it be a cache problem? Does anyone know as the fortigate dns cache works? Thanks! Paolo Boaretto

    8 replies

    PaoloMitre
    PaoloMitreAuthor
    New Member
    October 5, 2010
    Any reply???
    rwpatterson
    rwpatterson
    New Member
    October 5, 2010
    My only thought would be maybe that the address is dynamic and the 1000A didn' t pick it up the first time through.
    PaoloMitre
    PaoloMitreAuthor
    New Member
    October 5, 2010
    There are no dynamic addresses. I' d like to know if the fortigate has a cache and if yes how it works.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    October 5, 2010
    FQDN' s are resolved on time of creation and translated into an internal (kernal) ip rule. FQDN' s are resolved again, based on the DNS ttl of the A-record and again re-translated into an internal ip-based rule. Hope this clarifies it. Cheers, Eric
    PaoloMitre
    PaoloMitreAuthor
    New Member
    October 5, 2010
    Eric, thanks a lot! Now I can say the problem is due to the DNS server.
    PaoloMitre
    PaoloMitreAuthor
    New Member
    October 6, 2010
    I' ve a last question: the FortiOS diagnose command " diag test application dnsproxy 6" dumps the proxy cache. Here you have one line of the output: 2010-10-06 12:42:12 vfid=0 name=ENWS02181636.xxx.xxx: timer running, min_ttl=1200:335, cache_ttl=0 , slot=-1, num=1 2010-10-06 12:42:12 2010-10-06 12:42:12 10.139.246.99 (ttl=1200:341:341)2010-10-06 12:42:12 Could someone explain me what are the values I must consider? cache_ttl? min_ttl?does cache_ttl = 0 means an infinite ttl? Thanks
    PaoloMitre
    PaoloMitreAuthor
    New Member
    October 6, 2010
    Any reply? Doesn' t exist a good guide about these diagnose commands?
    PaoloMitre
    PaoloMitreAuthor
    New Member
    October 11, 2010
    No reply
    billp
    billp
    New Member
    October 11, 2010
    The " diag" commands are officially undocumented, I believe. The only docs are internal to FTN or on the KB online. You' d have to submit a support ticket to see if you can get add' l information or recommendations, unfortunately.
    Nihas
    Nihas
    New Member
    May 13, 2015

    Hi  Guys,

    I have a few fqdn based policies in place.

     

    I have executed the below command.

    dia firewall fqdn flush , and all entries are gone now.

     

    How can I initiate the sync again?

     

    Please help

     

    Terms & ConditionsAccessibility statement