Description
This article describes the need to keep authoritative 'DISABLED' in dns-database in order to resolve a domain.
The use case of source-ip in this context will be discussed at the end.
Scope
FortiGate.
Solution
If dns-databse configured with domain 'example.com' and this FQDN is not resolvable from FortiGate or by the user's device, make sure that authoritative is 'DISABLED'.
If the authoritative is 'ENABLED', FortiGate does not send the DNS request for 'example.com' to the DNS forwarders or System DNS servers.
In this scenario, Fortiguard DNS servers are set as System DNS and there are no DNS forwarders:
# config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
end
# config system dns-database
edit "Example"
set status enable
set domain "example.com"
set type primary
set view shadow
set ttl 86400
set authoritative disable
unset forwarder
set source-ip 0.0.0.0
A domain is resolved while an authoritative is disabled. FortiGate sends the DNS query to the System DNS server @ 96.45.45.45:53
FortiGate-61F # execute ping example.com
PING example.com (93.184.216.34): 56 data bytes
DNSPROXY debugs:
# diagnose debug application dnsproxy -1
# diagnose debug enable
[worker 0] dns_send_resol_request()-1234: orig id: 0x0000 local id: 0x801c domain=example.com
[worker 0] dns_find_best_server()-593: found server: 96.45.45.45 (vfid=0 vrf=0)
[worker 0] dns_udp_forward_request()-1060: vdom=root req_type=1 domain=example.com oif=0
[worker 0] dns_udp_forward_request()-1180: Send 29B to [96.45.45.45]:53 via fd=19 request:1
Wireshark pcap filtered for dns.qry.name == 'example.com':
If the authoritative is set to 'ENABLED' :
FortiGate-61F # execute ping example.com
Unable to resolve hostname.
Wireshark pcap filtered for dns.qry.name == 'example.com' does not have any output.
Note the difference in dnsproxy debug's results filtered by 'example.com':
Working:
[worker 0] dns_local_lookup()-2476: vfid=0, real_vfid=0, qname=example.com, qtype=1, qclass=1, offset=29, map#=2 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=example.com
[worker 0] dns_local_lookup()-2528: found zone=Example domain=example.com
[worker 0] dnsentry_search()-506: domain=example.com, name=example.com, type=1
[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=1
[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=5
[worker 0] dns_send_resol_request()-1234: orig id: 0x0000 local id: 0x801c domain=example.com
[worker 0] dns_udp_forward_request()-1060: vdom=root req_type=1 domain=example.com oif=0
[worker 0] dns_query_handle_response()-2580: vfid=0 real_vfid=0 vrf=0 id=0x801c domain=example.com pktlen=183
[worker 0] dns_query_save_response()-2561: domain=example.com pktlen=183
[worker 0] dns_set_min_ttl()-188: QR: example.com
[worker 0] hostname_entry_insert()-143: af=2 domain=example.com
[worker 0] dns_send_response()-1543: domain=example.com reslen=183
[worker 0] dns_query_delete()-566: orig id:0x0000 local id:0x801c domain=example.com active
Non-working:
[worker 0] dns_local_lookup()-2476: vfid=0, real_vfid=0, qname=example.com, qtype=1, qclass=1, offset=29, map#=2 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=example.com
[worker 0] dns_local_lookup()-2528: found zone=Example domain=example.com
[worker 0] dnsentry_search()-506: domain=example.com, name=example.com, type=1
[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=1
[worker 0] dnsentry_lookup()-430: domain=example.com, name=example.com, type=5
[worker 0] dns_query_save_response()-2561: domain=example.com pktlen=29
[worker 0] dns_send_response()-1543: domain=example.com reslen=29
[worker 0] dns_query_delete()-566: orig id:0x0000 local id:0x0000 domain=example.com non-active
Use case of source-ip in dns-database:
If this DNS request should be sent to DNS forwarders or the Local DNS servers either via the local network or VPN:
- Still, make sure that authoritative is 'DISABLED'.
- May also need to specify the source IP for the DNS database. In the case of VPN needs to have the required phase2 selector and route to send the traffic via tunnel:
# config system dns-database
edit "Example"
set source-ip x.x.x.x
end
- If the source IP is not specified, FortiGate will use the interface IP that has the least index for this locally generated traffic.
- Interfaces' index can be checked by:
# diagnose ip address list
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.