Skip to main content
heyyo
heyyo
New Member
July 8, 2024
Solved

How to see if DNS server send a NXDOMAIN error

  • July 8, 2024
  • 2 replies
  • 4295 views

Hi,

 

I am currently working on this KB: FortiGate alt-primary, alt-secondary DNS ... - Fortinet Community

It mentions that Public DNS servers return a name resolution error 'NXDOMAIN' so that another server selection takes place between alt-primary and alt-secondary DNS servers.

 

How do I know if the Public DNS server returns an NXDOMAIN error? Do we see it using debug?

I am not able to successfully implement the KB for internal look ups, but for external look ups it is working as expected.

Anything else which I can do to trouble shoot or look into?

 

Thank you!

    Best answer by fricci_FTNT

    Hi @heyyo ,

     

    I have just tested it from a Windows client using nslookup, setting the DNS server of my choice and running Wireshark. Below a screenshot of my test result:

    test-DNS-NXDOMAIN.PNG

     

    The answer I get in the DNS response is "no such name", reply code (3).

    Best regards,

    2 replies

    fricci_FTNT
    fricci_FTNT
    Staff
    July 8, 2024

    Hi @heyyo ,

     

    NXDOMAIN errors are related to not existent domain. To check that you could run a packet capture and analyse traffic with wireshark on a test client.
    Alternatively you can run a packet capture on the FortiGate filtering by the DNS port 53 and the DNS server IP.
    Bear in mind that if the DNS traffic uses DoH (DNS over HTTPS) or DoT (DNS over TLS) you may not be able to see the pcap content.

    You may try to run the following debug and check if you are able to see NXDOMAIN errors:

    diag debug application dnsproxy -1
    diag debug console timestamp en
    diag debug en

     

    If using DNS port 53, the best way to see the DNS response should be running the packet sniffer below and convert it to analyse it with wireshark:
    diag debug sniffer any "host x.x.x.x and host y.y.y.y and port 53" 6 0 l #<-----where x.x.x.x is the client IP and y.y.y.y is the DNS server IP


    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

    https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sniffer/ta-p/194222

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-diagnose-sniffer-packet-data-to/ta-p/191727


    Best regards,

      fricci_FTNT
      fricci_FTNTAnswer
      Staff
      July 8, 2024

      Hi @heyyo ,

       

      I have just tested it from a Windows client using nslookup, setting the DNS server of my choice and running Wireshark. Below a screenshot of my test result:

      test-DNS-NXDOMAIN.PNG

       

      The answer I get in the DNS response is "no such name", reply code (3).

      Best regards,

        Yurisk
        Yurisk
        New Member
        July 8, 2024

        AS the KB article you pointed to mentions that it is applicable only when using DOH/DOT, i.e. DNS traffic is being encrypted, the only way to try and see the resolving process on FGT is indeed to run debug. I am not sure about DOH/DOT traffic debug - if it has its own daemon and debug, but try starting with usual DNS proxy debug: https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc#dns-server-and-proxy-debug 

         

        P.S. If someone knows about specific DOH/DOT debug on Forti it would make a great KB Article :)

          Terms & ConditionsCookie settingsAccessibility statement