Technical Tip: Behavior of SDNS Server IP when Anycast is disabled/enabled under FortiGuard Settings

anderson_yee · ‎09-06-2024

Description

This article describes the behavior of SDNS Server IP when Anycast is disabled/enabled under FortiGuard settings.

Scope

FortiGate, DNS Filter.

Solution

SDNS servers are used to send DNS rating queries when using the DNS Filter Security Profile in the firewall policies.
Since FortiOS v6.4.3, by default, FortiGate uses the Anycast method to connect to the FortiGuard servers.

Hence, when initially disabling the FortiGuard anycast method, the SDNS server IP is unset.

However, if changing the value of the SDNS server IP to a custom value, and then enabling anycast again, it will show the 'anycast-sdns-server-ip' field and not the 'sdns-server-ip' field.

But when the anycast is disabled, then the 'sdns-server-ip' field shows up with the configured 'sdns-server-ip' value earlier.
For example, if the SDNS server is set to 8.8.8.8, the custom value 8.8.8.8 will show if Anycast is disabled again.

sdns behaviour 2.png
In case, unsetting the SDNS server IP previously, then enabling/disabling anycast again will result in no SDNS server being set under FortiGuard settings.

Note: This could result in a DNS filter rating issue when switching from FortiGuard anycast enabled to anycast disabled settings if the SDNS server has been unset or misconfigured previously.

sdns behaviour 3.png

Technical Tip: Behavior of SDNS Server IP when Anycast is disabled/enabled under FortiGuard Settings

Description

Scope

Solution

You are leaving our website