New Member

Question

[SOLVED] FortiGate DNS server - no response to AAAA queries when there are no AAAA records

Forum|Forum|4 years ago
October 6, 2021
1 reply
9821 views

Hello, Situation: FortiGate 400E running FortiOS 7.0.0 set as DNS server for local networks (recursive, but also forward to system DNS). DNS server IP = interface IP. All networks IPv4. DNS queries type A are answered by FortiGate DNS server, example: "Standard query 0x969a A wp.pl" "Standard query response 0x969a A wp.pl 212.77.98.9" Problem starts when there are AAAA queries, but no AAAA record exists. FortiGate DNS server receives queries: "Standard query 0x8e50 AAAA wp.pl" "Standard query 0x8e50 AAAA wp.pl" "Standard query 0x8e50 AAAA wp.pl" but there is no response to client which causes timeout on client side and unnecessary delay. Is there any solution to this problem? When quering some public DNS server, for example 1.1.1.1, answer to AAAA query is: "Standard query response 0x7b2c AAAA wp.pl SOA ns1.wp.pl" and there is no timeout on clinent side.

emnoc

New Member

I don't have that issue nor never seen it.

e.g

supports-MacBook-Pro:~ ken$ host -t a ipv6.hyperfeed.com 192.168.1.99

Using domain server:

Name: 192.168.1.99

Address: 192.168.1.99#53

Aliases:

ipv6.hyperfeed.com has address 192.0.2.22

supports-MacBook-Pro:~ ken$ host -t aaaa ipv6.hyperfeed.com 192.168.1.99

Using domain server:

Name: 192.168.1.99

Address: 192.168.1.99#53

Aliases:

ipv6.hyperfeed.com has no AAAA record

supports-MacBook-Pro:~ ken$

and using your example

supports-MacBook-Pro:~ ken$ host -t aaaa wp.pl 192.168.1.99

Using domain server:

Name: 192.168.1.99

Address: 192.168.1.99#53

Aliases:

wp.pl has no AAAA record

and for a recursive lookup;

supports-MacBook-Pro:~ ken$ host -t aaaa www.gmail.com 192.168.1.99

Using domain server:

Name: 192.168.1.99

Address: 192.168.1.99#53

Aliases:

www.gmail.com is an alias for mail.google.com.

mail.google.com is an alias for googlemail.l.google.com.

googlemail.l.google.com has IPv6 address 2607:f8b0:4000:81b::2005

Btw, this is fortios 7.0.1

Ken Felix

KMMargoninAuthor

New Member

Issue noticed on Windows 10 and Ubuntu Server 20.04.

Example from Win 10:

>nslookup wp.pl DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 10.0.0.1 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. Non-authoritative answer: DNS request timed out. timeout was 2 seconds. Name: wp.pl Address: 212.77.98.9

Example from Ubuntu Server 20.04:

$ nslookup wp.pl Server: 10.0.0.1 Address: 10.0.0.1#53 Non-authoritative answer: Name: wp.pl Address: 212.77.98.9 ;; connection timed out; no servers could be reached

emnoc

New Member

Do you have DNS enable on 10.0.0.1?

e.g

host -t txt -c chaos version.bind 192.168.1.99

or

host -T -t txt -c chaos version.bind 192.168.1.99

Is dnsproc pid showing "diag sys top "

Any downstream filters , firewalls, layer2 firewall blocking access to port 53 ? Did you do a diag debug flow?

diag debug reset

diag debug flow filter dport 53

diag debug flow filter daddr 192.168.1.99 # put your address here

diag debug flow trace start 10

diag debug en

diag debug flow trace start 10

SOCPUPFGT02 # id=20085 trace_id=2 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 192.168.1.110:55687->192.168.1.99:53) from internal. "

id=20085 trace_id=2 func=init_ip_session_common line=5918 msg="allocate a new session-00026a88"

id=20085 trace_id=2 func=vf_ip_route_input_common line=2615 msg="find a route: flag=84000000 gw-192.168.1.99 via root"

id=20085 trace_id=2 func=__ip_session_run_tuple line=3529 msg="run helper-dns-udp(dir=original)"

id=20085 trace_id=3 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 192.168.1.110:64884->192.168.1.99:53) from internal. flag , seq 4203354126, ack 0, win 65535"
id=20085 trace_id=3 func=init_ip_session_common line=5918 msg="allocate a new session-00026aa1"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2615 msg="find a route: flag=84000000 gw-192.168.1.99 via root"
id=20085 trace_id=4 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 192.168.1.110:64884->192.168.1.99:53) from internal. flag [.], seq 4203354127, ack 1720278195, win 2058"
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-00026aa1, original direction"
id=20085 trace_id=5 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 192.168.1.110:64884->192.168.1.99:53) from internal. flag [.], seq 4203354127, ack 1720278195, win 2058"
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-00026aa1, original direction"
id=20085 trace_id=6 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 192.168.1.110:64884->192.168.1.99:53) from internal. flag [.], seq 4203354159, ack 1720278247, win 2058"
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-00026aa1, original direction"
id=20085 trace_id=7 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 192.168.1.110:64884->192.168.1.99:53) from internal. flag [F.], seq 4203354159, ack 1720278247, win 2058"
id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-00026aa1, original direction"
id=20085 trace_id=8 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 192.168.1.110:64884->192.168.1.99:53) from internal. flag [.], seq 4203354160, ack 1720278248, win 2058"
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-00026aa1, original direction"

# when done
diag debug reset
diag debug disable

Did you at least do a diag sniffer packet any "host 10.0.0.1 and port 53" and see if our windows or ubuntu clients are hitting the dns-server ip.addr on the fortigate ?

Time-out means exactly that, a time-out due to reachability or the service is not running

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded