Description | This article explains FortiGate's ability to inspect and update the kernel with passing DNS queries’ responses for local FQDN address objects. |
Scope | FortiOS. |
Solution |
Background: - The below diagram is used to explain this behavior. - The FQDN and related IPs are used only to explain this behavior.
- FortiGate is configured to use external public DNS. - fortinet.com.evelab.com is added to FortiGate as an FQDN address object. - The Local DNS server has a static DNS entry map for fortinet.com.evelab.com the corresponding IP is 10.10.10.10. - The Internal PC uses the local DNS server. The Internal PC will send all DNS queries to the local DNS server.
Observations and Notes: - FortiGate queries the External DNS server to resolve the FQFN fortinet.com.evelab.com and add the IP to the list, the IP is 89.31.143.1.
# firewall fqdn list-ip List all IP FQDN: fqdn_u 0x105b0b86 fortinet.com.evelab.com: type:(1) ID(54) count(1) generation(16) data_len:13 flag: 1 ip list: (1 ip in total) ip: 89.31.143.1 <- Total ip fqdn range blocks: 1. Total ip fqdn addresses: 1.
- Then once the Internal PC queries the Local DNS server for fortinet.com.evelab.com, it gets the IP address 10.10.10.10. And since this traffic is routed via FortiGate, the DNS response is added to the FQDN address list, as shown below:
# firewall fqdn list-ip fqdn_u 0x105b8d96 fortinet.com.evelab.com: type:(1) ID(54) count(2) generation(17) data_len:26 flag: 1 ip list: (1 ip in total) ip: 89.31.143.1 <- ip list: (1 ip in total) ip: 10.10.10.10 <- Total ip fqdn range blocks: 2. Total ip fqdn addresses: 2.
- The above behavior might not be desired in some implementations.
Solution: There are two workarounds to change this behavior as shown below:
- Disable Network visibility:
# config system network-visibility set destination-visibility disable
- Remove DNS session helper entry:
# config system session-helper delete 14 end
Note: The dnsproxy service must be restarted after making the above changes, and if FortiGate units are deployed in a HA cluster, the dnsproxy service must be restarted in all HA members at about the same time to prevent one of the secondary updating the primary FQDN list with the undesired IP. Without restarting the dnsproxy the undesired entry will stay until DNS TTL expires.
# diagnose test application dnsproxy 99 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.