Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎08-17-2024 07:58 AM Edited on ‎08-17-2025 09:59 PM By Community Manager

Article Id 333893

Technical Tip: DNS issues and commands to use

Description

 

This article provides information about useful debugs related to DNS and general DNS information.

 

Scope

 

FortiGate.

 

Solution

 

DNS definition.

It is used to resolve Hostnames/Domains into Routable IP addresses. It is a hierarchical and decentralized system and usually runs on port 53.

 

Whenever Troubleshooting DNS Issues, the CLI commands to use are:

To check General DNS settings as well as Cache/Statistics:

 

diagnose test application dnsproxy 2 <----- To show stats.

diagnose debug rating

diagnose test application dnsproxy 13 <----- To show hostname cache.

diagnose test application dnsproxy 14 <----- To clear hostname cache.

diag test application dnsproxy 1 <----- Clearing DNS cache.

 

diagnose test application dnsproxy 

1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker

 

To check how DNS resolution is being done (debug it):

 

diagnose debug application dnsproxy -1

diagnose debug enable

execute ping X.X.X.X

 

The following lines are the most relevant lines from the output of the DNS proxy debug


dns_local_lookup_common()-2553: vfid=0, real_vfid=0, qname=www.site.com, qtype=28, qclass=1  <-----  Response received.

dns_send_cached_response()-1747: domain=www.site.com    <-----  checking against cache.

dns_send_resol_request()-1344: orig id: 0x44b4 domain=www.site.com  <----- If cache misses, it's forwarded towards upstream DNS.
dns_query_handle_response()-2743: domain=www.site.com pktlen=222  <-----  Received response from upstream DNS.

dns_send_response()-1645: domain=www.site.com reslen=222 <-----  Response to Client.

 

To check general things: check if it is using DNS over TLS or HTTPS:

 

config system dns

show

    set dns-over-tls disable

        config system dns-database

        show

 

To troubleshoot the DNS server unreachable:

 

Ensure FortiGuard is pingable:

 

config system fortiguard

    set fortiguard-anycast disable

    set protocol udp

    set port 53 (or 8888)

    set sdns-server-ip "208.91.112.220" -> US server

end

 

By default, the interface selection is set to 'auto' in DNS configuration:

 

new.png

 

 

v7.0.0 and above, 'diagnose test application dnsproxy 15' will not show SDNS cache results because dnsfilter in flow mode is handled by the IPS engine. If changing to proxy mode, the results will be displayed.

It can be changed from the CLI as well as the GUI. See the following articles:

Technical Tip: How to specify outgoing interface for local DNS traffic

Technical Tip: Change/specify the outgoing interface for DNS traffic in GUI

 

Related articles:

Technical Tip: FortiGate Troubleshooting DNS commands
Technical Tip: Different options of configuring DNS server on FortiGate

Technical Tip: Configuring FortiGates as DNS servers in Master/Slave relationship

6254
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.