FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aabukhshim
Staff
Staff
Article Id 253859
Description This article explains FortiGate's ability to inspect and update the kernel with passing DNS queries’ responses for local FQDN address objects 
Scope FortiOS.
Solution

Background: 

- The below diagram is used to explain this behavior.  

- The FQDN and related IPs are used only to explain this behavior. 

 FQDN.JPG

 

- FortiGate is configured to use external public DNS.  

- fortinet.com.evelab.com is added to FortiGate as an FQDN address object.  

- The Local DNS server has a static DNS entry map for fortinet.com.evelab.com the corresponding IP is 10.10.10.10. 

- The Internal PC uses the local DNS server. The Internal PC will send all DNS queries to the local DNS server.

  

Observations and Notes:  

- FortiGate queries the External DNS server to resolve the FQFN  fortinet.com.evelab.com and add the IP to the list, the IP is  89.31.143.1 

 

firewall fqdn list-ip 

List all IP FQDN: 

fqdn_u 0x105b0b86 fortinet.com.evelab.com: type:(1) ID(54) count(1) generation(16) data_len:13 flag: 1 

ip list: (1 ip in total) 

ip: 89.31.143.1  <-

Total ip fqdn range blocks: 1. 

Total ip fqdn addresses: 1.     

 

- Then once the Internal PC queries the Local DNS server for fortinet.com.evelab.com, it gets the IP address 10.10.10.10. And since this traffic is routed via FortiGate, the DNS response is added to the FQDN address list, as shown below:  

 

firewall fqdn list-ip 

fqdn_u 0x105b8d96 fortinet.com.evelab.com: type:(1) ID(54) count(2) generation(17) data_len:26 flag: 1 

ip list: (1 ip in total) 

ip: 89.31.143.1  <-

ip list: (1 ip in total) 

ip: 10.10.10.10  <-

Total ip fqdn range blocks: 2. 

Total ip fqdn addresses: 2.  

 

- The above behavior might not be desired in some implementations.  

 

Solution: 

There are two workarounds to change this behavior as shown below: 

 

- Disable Network visibility: 

 

# config system network-visibility 

    set destination-visibility disable 

 

- Remove DNS session helper entry:

 

# config system session-helper 

    delete 14 

end  

 

Note: The dnsproxy service must be restarted after making the above changes, and if FortiGate units are deployed in a HA cluster, the dnsproxy service must be restarted in all HA members at about the same time to prevent one of the secondary updating the primary FQDN list with the undesired IP. Without restarting the dnsproxy the undesired entry will stay until DNS TTL expires.  

 

diagnose test application dnsproxy 99