Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lsaroukhani
Staff
Staff

Created on ‎11-29-2022 09:53 PM Edited on ‎06-27-2025 06:45 AM By Moderator

Article Id 231392

Technical Tip: DNS queries are not sent to DNS forwarders or system DNS servers

Description

 

This article describes the need to keep authoritative 'DISABLED' in dns-database  in order to resolve a domain.

The use case of source-ip in this context will be discussed at the end. 

 

Scope

 

FortiGate.

 

Solution

 

If dns-databse configured with domain 'example.com' and this FQDN is not resolvable from FortiGate or by the user's device,  make sure that authoritative is 'DISABLED'.

If the authoritative is 'ENABLED', FortiGate does not send the DNS request for  'example.com' to the DNS forwarders or System DNS servers.

 

In this scenario, Fortiguard DNS servers are set  as System DNS and there are no DNS forwarders:

 

# config system dns

    set primary 96.45.45.45

    set secondary 96.45.46.46

end

 

# config system dns-database

  edit "Example"

        set status enable

        set domain "example.com"

        set type primary

        set view shadow

        set ttl 86400

        set authoritative disable

        unset forwarder

        set source-ip 0.0.0.0


A domain is resolved while an authoritative is disabled. FortiGate sends the DNS query to the System DNS server @ 96.45.45.45:53

 

FortiGate-61F # execute ping example.com

PING example.com (93.184.216.34): 56 data bytes


DNSPROXY debugs:

 

# diagnose debug application dnsproxy -1
# diagnose debug enable

 

 [worker 0] dns_send_resol_request()-1234: orig id: 0x0000 local id: 0x801c domain=example.com

 [worker 0] dns_find_best_server()-593: found server: 96.45.45.45 (vfid=0 vrf=0)

 [worker 0] dns_udp_forward_request()-1060: vdom=root req_type=1 domain=example.com oif=0

 [worker 0] dns_udp_forward_request()-1180: Send 29B to [96.45.45.45]:53 via fd=19 request:1

 

Wireshark pcap filtered for dns.qry.name == 'example.com':

 

lsaroukhani_0-1669766662021.png


If the authoritative is set to 'ENABLED' :
 

FortiGate-61F # execute ping example.com

Unable to resolve hostname.

 

Wireshark pcap filtered for dns.qry.name == 'example.com' does not have any output.

 

Note the difference in dnsproxy debug's results filtered by 'example.com':

Working:

 

           [worker 0] dns_local_lookup()-2476: vfid=0, real_vfid=0, qname=example.com, qtype=1, qclass=1, offset=29, map#=2 max_sz=512

    [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=example.com

[worker 0] dns_local_lookup()-2528: found zone=Example domain=example.com

[worker 0] dnsentry_search()-506: domain=example.com, name=example.com, type=1

[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=1

[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=5

[worker 0] dns_send_resol_request()-1234: orig id: 0x0000 local id: 0x801c domain=example.com

[worker 0] dns_udp_forward_request()-1060: vdom=root req_type=1 domain=example.com oif=0

[worker 0] dns_query_handle_response()-2580: vfid=0 real_vfid=0 vrf=0 id=0x801c domain=example.com pktlen=183

[worker 0] dns_query_save_response()-2561: domain=example.com pktlen=183

[worker 0] dns_set_min_ttl()-188: QR: example.com

[worker 0] hostname_entry_insert()-143: af=2 domain=example.com

[worker 0] dns_send_response()-1543: domain=example.com reslen=183

[worker 0] dns_query_delete()-566: orig id:0x0000 local id:0x801c domain=example.com active

 

Non-working:

 

                     [worker 0] dns_local_lookup()-2476: vfid=0, real_vfid=0, qname=example.com, qtype=1, qclass=1, offset=29, map#=2 max_sz=512

          [worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=example.com

          [worker 0] dns_local_lookup()-2528: found zone=Example domain=example.com

          [worker 0] dnsentry_search()-506: domain=example.com, name=example.com, type=1

          [worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=1

          [worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=5

          [worker 0] dns_query_save_response()-2561: domain=example.com pktlen=29

          [worker 0] dns_send_response()-1543: domain=example.com reslen=29

          [worker 0] dns_query_delete()-566: orig id:0x0000 local id:0x0000 domain=example.com non-active

 

Use case of source-ip in dns-database (see Technical Tip: How to control/change the FortiGate source IP for self-generated traffic:(

 

If this DNS request should be sent to DNS forwarders or the Local DNS servers either via the local network or VPN:
 

  • Again, make sure that authoritative is 'DISABLED'.
  • It may also be necessary to specify the source IP for the DNS database. The VPN needs to have the required phase2 selector and route to send the traffic via tunnel:

 

config system dns-database

    edit "Example"

        set source-ip x.x.x.x

    end

 

  • If the source IP is not specified, FortiGate will use the interface IP that has the least index for this locally generated traffic.
  • Interfaces' index can be checked by:

 

diagnose ip address list

10051
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.