Description
This article provides information about useful debugs related to DNS and general DNS information.
Scope
FortiGate.
Solution
DNS definition.
It is used to resolve Hostnames/Domains into Routable IP addresses. It is a hierarchical and decentralized system and usually runs on port 53.
Whenever Troubleshooting DNS Issues, the CLI commands to use are:
To check General DNS settings as well as Cache/Statistics:
diagnose test application dnsproxy 2 ----> To show stats.
diagnose debug rating
diagnose test application dnsproxy 13 ----> To show hostname cache.
diagnose test application dnsproxy 14 ----> To clear hostname cache.
diag test application dnsproxy 1 ----> Clearing DNS cache.
diag test application dnsproxy
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker
To check how DNS resolution is being done (debug it):
diag debug application dnsproxy -1
diag debug enable
execute ping X.X.X.X
To check general things: check if it is using DNS over TLS or HTTPS:
config system dns
show
set dns-over-tls disable
config system dns-database
show
To troubleshoot the DNS server unreachable:
Ensure FortiGuard is pingable:
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 53 (or 8888)
set sdns-server-ip "208.91.112.220" -> US server
end
By default, the interface selection is set to 'auto' in DNS configuration:
It can be changed from the CLI as well as the GUI. See the following articles:
- How to specify outgoing interface for loc... - Fortinet Community
- Change/specify the outgoing interface for... - Fortinet Community
Related articles:
