Description

 

This article demonstrates the behaviour of FortiGate’s DNS server functionality when configured on a regular and loopback interface.

 

Scope

 

FortiGate.

 

Solution

 

Configure vlan_20 as the DNS server:

 

config system dns-server

    edit "vlan_20"

    next

end

 

config system interface

    edit "vlan_20"

        set vdom "root"

        set ip 10.0.20.20 255.255.255.0

        set allowaccess ping

        set role lan

        set snmp-index 19

        set color 6

        set interface "fortilink"

        set vlanid 20

    next

end

 

Firewall policy allowing traffic from VLAN_10 to VLAN_20:

 

config firewall policy

    edit 10

        set name "vlan_20_access"

        set uuid 0be26e76-42a6-51ed-f6ec-9c1e4c645372

        set srcintf "vlan_10"

        set dstintf "vlan_20"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

end

 

Initiating DNS query from a machine connected to VLAN_10:

 

root@debian:~# dig @10.0.20.20 fortinet.com

;; communications error to 10.0.20.20#53: timed out

;; communications error to 10.0.20.20#53: timed out

;; communications error to 10.0.20.20#53: timed out

 

; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> @10.0.20.20 fortinet.com

; (1 server found)

;; global options: +cmd

;; no servers could be reached

 

Flow trace debugs show no reply traffic:

id=65308 trace_id=11 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=17, 10.0.10.245:51090->10.0.20.20:53) tun_id=0.0.0.0 from vlan_10. "

id=65308 trace_id=11 func=init_ip_session_common line=6017 msg="allocate a new session-026732c5, tun_id=0.0.0.0"

id=65308 trace_id=11 func=vf_ip_route_input_common line=2611 msg="find a route: flag=84000000 gw-10.0.20.20 via root"

id=65308 trace_id=11 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=40, len=3"

id=65308 trace_id=11 func=get_new_addr line=1255 msg="find SNAT: IP-10.0.20.20(from IPPOOL), port-51090"

id=65308 trace_id=11 func=__ip_session_run_tuple line=3471 msg="run helper-dns-udp(dir=original)"

 

DNS Proxy debugs:

 

[worker 0] batch_on_read()-3543

[worker 0] udp_receive_request()-3132

[worker 0] udp_receive_request()-3182: vd=0, vrf=0, intf=33, len=53, alen=16, 10.0.10.245:45183=>10.0.20.20

[worker 0] handle_dns_request()-2478: vfid=0 real_vfid=0 id=0x3604 pktlen=53 qr=0 req_type=3

[worker 0] dns_parse_message()-603

[worker 0] get_intf_policy()-1475: ifindex=33

[worker 0] dns_query_delete()-588: orig id:0x3604 local id:0x0000 domain=fortinet.com use=5 non-active

[worker 0] dns_query_cleanup()-567: use=2

[worker 0] udp_receive_request()-3132

[worker 0] dns_query_check_timeout()-651: jiffies=266376337

 

This is expected behavior, as the DNS proxy will drop the packet if the ingress interface is not in the system dns-server table. In order to receive a reply from VLAN_20’s IP address, VLAN_10 should also be configured as a DNS server.

This condition only applies if the server is configured on a regular interface i.e. physical or VLAN interface and this does not apply to the loopback interface.

 

Example:

 

Configure the Loopback interface as the DNS server:

 

config system dns-server

    edit "mgmt"

    next

end

 

config system interface

    edit "mgmt"

        set vdom "root"

        set ip 10.0.0.253 255.255.255.255

        set allowaccess ping https ssh snmp http

        set type loopback

        set role lan

        set snmp-index 28

    next

end

 

Create a firewall policy from VLAN_10 to the Loopback interface:

 

config firewall policy

    edit 11

        set name "mgmt_access"

        set uuid 8e757664-b536-51ed-730a-d29f9390e2ee

        set srcintf "vlan_10"

        set dstintf "mgmt"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

    next

end

 

Initiating DNS query from a machine connected to VLAN_10:

 

root@debian:~# dig @10.0.0.253 fortinet.com

 

; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> @10.0.0.253 fortinet.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16448

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4000

;; QUESTION SECTION:

;fortinet.com.                  IN      A

 

;; ANSWER SECTION:

fortinet.com.           84129   IN      A       54.151.118.105

fortinet.com.           84129   IN      A       54.177.212.176

 

;; Query time: 4 msec

;; SERVER: 10.0.0.253#53(10.0.0.253) (UDP)

;; WHEN: Mon Oct 02 12:27:54 PDT 2023

;; MSG SIZE  rcvd: 73

 

Flow trace debugs show reply traffic:

 

id=65308 trace_id=17 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=17, 10.0.10.245:40711->10.0.0.253:53) tun_id=0.0.0.0 from vlan_10. "

id=65308 trace_id=17 func=init_ip_session_common line=6017 msg="allocate a new session-02677a75, tun_id=0.0.0.0"

id=65308 trace_id=17 func=vf_ip_route_input_common line=2611 msg="find a route: flag=84000000 gw-10.0.0.253 via root"

id=65308 trace_id=17 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=42, len=2"

id=65308 trace_id=17 func=__ip_session_run_tuple line=3471 msg="run helper-dns-udp(dir=original)"

id=65308 trace_id=18 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=17, 10.0.0.253:53->10.0.10.245:40711) tun_id=0.0.0.0 from local. "

id=65308 trace_id=18 func=resolve_ip_tuple_fast line=5920 msg="Find an existing session, id-02677a75, reply direction"

id=65308 trace_id=18 func=__ip_session_run_tuple line=3471 msg="run helper-dns-udp(dir=reply)"

 

DNS proxy debugs show the processing of the DNS query:

 

[worker 0] batch_on_read()-3543

[worker 0] udp_receive_request()-3132

[worker 0] udp_receive_request()-3182: vd=0, vrf=0, intf=33, len=53, alen=16, 10.0.10.245:60808=>10.0.0.253

[worker 0] handle_dns_request()-2478: vfid=0 real_vfid=0 id=0x3b88 pktlen=53 qr=0 req_type=3

[worker 0] dns_parse_message()-603

[worker 0] get_intf_policy()-1475: ifindex=34

[worker 0] dns_local_lookup_common()-2534: vfid=0, real_vfid=0, view=2, qname=fortinet.com, qtype=1, qclass=1, offset=30, map#=2 max_sz=512

[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=fortinet.com

[worker 0] dns_send_cached_response()-1736: domain=fortinet.com

[worker 0] dns_query_save_response()-2712: domain=fortinet.com pktlen=73

[worker 0] dns_adjust_ttl_values()-142

[worker 0] dns_adjust_ttl_values()-145: Offset of 1st RR: 30

[worker 0] dns_adjust_ttl_values()-147: Number of RR's: 3

[worker 0] dns_adjust_ttl_values()-158: New ttl: 84086

[worker 0] dns_adjust_ttl_values()-158: New ttl: 84086

[worker 0] dns_adjust_ttl_values()-158: New ttl: 0

[worker 0] dns_forward_response()-1709

[worker 0] dns_secure_forward_response()-1665: category=255 profile=none

[worker 0] dns_send_response()-1634: domain=fortinet.com reslen=73

[worker 0] __dns_udp_forward_response()-1511

[worker 0] __dns_udp_forward_response()-1522: vd-0 Send 73B via fd=7, family=2

[worker 0] __dns_udp_forward_response()-1526: set svf of fd to 0

[worker 0] __dns_udp_forward_response()-1576: vd=0 send 73B response 10.0.0.253:53=>10.0.10.245:60808

[worker 0] dns_query_delete()-588: orig id:0x3b88 local id:0x0000 domain=fortinet.com use=5 non-active

[worker 0] dns_query_cleanup()-567: use=2

[worker 0] udp_receive_request()-3132

 

The machine received a DNS response for the query made to loopback.

 

Note:

On v7.6.1, there is a change of behavior. For both loopback and regular interface it is not necessary to add the ingress interface in the DNS-Server table.