Description
This article describes how to enable the FortiGate to reply to DNS queries via the Loopback interface.
Due to DNS behavior changes in 5.6, previously working configurations from 5.4 might not work after a firmware upgrade.
Solution
From FortiOS version 5.6 onwards, the DNS Server behavior was changed to drop DNS requests on interfaces not found in the dns-server table.
If a DNS Server is configured on an internal port, for example port1, then FortiGate will resolve only DNS queries coming over port1.
If the DNS-server was configured on a loopback interface, but the DNS queries are reaching the FortiGate on a physical interface (in this example, port1), then port1 must be added to the DNS-server table:
config system dns-server
edit "loopback1"
next
edit "port1"
next
end
If not added, the below error messages would be seen in the dnsproxy debugs indicating that its "non-active":
[worker 0] get_intf_policy()-1353: ifindex=43
[worker 0] dns_query_delete()-565: orig id:0x585f local id:0x0000 xyz.com non-active
[worker 0] udp_receive_request()-2953
Note: If DNS queries are incoming on SSL VPN, add the SSL VPN interface under the DNS-server table as below as well:
config system dns-server
edit "loopback1"
next
edit "ssl.root"
next
end
