Created on ‎07-20-2009 06:23 AM Edited on ‎11-23-2024 05:58 AM By Jean-Philippe_P
Description
This article describes the different debug information that can be collected from the CLI of the FortiGate, prior to FortiOS 3.0 MR6 and since MR7.
The FortiGate uses DNS for several of its functions, including communication with FortiGuard, sending email alerts, and URL blocking (using FQDN).
A DNS query is updated every time that a DNS traffic is passing through FortiGate.
Scope
FortiGate.
Solution
Before FortiOS 3.0 MR6, DNS troubleshooting was performed via the haproxy command :
diag debug haproxy dump
www.fortinet.com: ID(107) REF(1) EXPIRE(1224623673, ttl 3600) VD(0, ref 1)
---End of FQDN entry dump (total 1)--
Since MR7, a dnsproxy debug command is available on the FortiGate and can be queried with the following variants:
diag test application dnsproxy ?
1. Clear dns cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
Below are examples of what the output should show when enabled.
diag test application dnsproxy 1 - DNS statistics :
diag test application dnsproxy 2
DNS_CACHE: alloc=4
DNS UDP: req=13, res=4, fwd=4, hits=9, alloc=0 cur=4
FQDN: alloc=1
DNS TCP: req=0, alloc=0 - DNS settings:
diag test application dnsproxy 3
Management: vd=root, id=0, master=1:1
DNS server 0: x.x.x.x:53
DNS server 1: x.x.x.x:53
DNS server 2: x.x.x.x:53
DNS server 3: x.x.x.x:53
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: mgmt_s=7, mgmt_c=8, mgmt_c2=9, ha_s=5 ha_c=6 unix_s=10, unix_nb_s=11, unix_nc_s=12
relay dmz in root: fd=13
relay internal in root: fd=14
dns_out_sock=8, mgmt_recreate_sock=0 mgmt_switched=0, jiffies=91669
FQDN: hash_size=1024, current_query=1024
DNS FD: tcp_s=15
diag test application dnsproxy 6
vfid=0 name=www.fortinet.com: timer running, min_ttl=43200:43129, slot=-1, num=1 X.X.X.X
This will simply reload and re-query the FQDN:
diag test application dnsproxy 4
diag test application dnsproxy 5
diag debug application dnsproxy -1
execute ping www.fortinet.com
For versions 7.0, 7.2, 7.4, and 7.6 FortiGate, more information was added:
diag test application dnsproxy ?
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker
Scenario:
FortiOS 7.0.0 and above, 'diag test application dnsproxy 15' will not show SDNS cache results because dnsfilter in flow mode is handled by the IPS engine. If changing to proxy mode, the results will be displayed.
From v7.6.0, the DNS system database config has the option to configure the 'source-ip-interface' to overcome the challenges of dynamic IP address change.
Refer to the below doc for more information:
Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations
Refer to the below document:
DNS filter handled by IPS engine in flow mode
Related article:
Technical Tip: How to perform a hostname to IP address resolution on a FortiGate unit
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.