Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KC_Hing
Staff
Staff

Created on ‎01-06-2023 01:47 AM Edited on ‎01-06-2023 01:47 AM By Community Manager

Article Id 242183

Technical Tip: How to debug DNS translation

Description

The DNS translation feature can be implemented to translate resolved DNS IP addresses to the internal IP addresses with a DNS filter profile applied in a specific firewall policy. 

 

This article describes a debug output to identify the DNS translation issue.
Scope

FortiGate.
Solution

In this scenario, the internal network users perform a DNS query for www.example.com and do not get the original www.example.com IP address of 93.184.216.34. Instead, it is replaced with 192.168.3.4.

 

1) To create a DNS Filter profile for DNS translation:

 

# config dnsfilter profile

    edit "DNS_Rewrite"

    config dns-translation

        edit 1

            set src 93.184.216.34

            set dst 192.168.3.4

        next

 

2) Apply the DNS filter profile to the firewall policy:

 

# config firewall policy

    edit 1

        set name "All_Internet"

        set srcintf "port3"

        set dstintf "virtual-wan-link"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set dnsfilter-profile "DNS_Rewrite" <-----

        set logtraffic all

        set nat enable

    next

 

3) To perform a DNS proxy debug command to verify DNS translation traffic in working and non-working scenarios.

 

# diag debug application dnsproxy 255

# diag debug enable

 

Working debug outputs:

 

[worker 0] udp_receive_redirect()-3133: vd=0, vrf=0, intf=5, len=35, alen=16, 10.129.2.76:59943=>8.8.8.8
[worker 0] handle_dns_request()-2338: vfid=0 real_vfid=0 id=0x0016 pktlen=35 qr=0 req_type=2
[worker 0] dns_parse_message()-603
[worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1
[worker 0] dns_secure_log_request()-1114: id:0x0016 pktlen=35 profile=default ifindex=5
[worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1
[worker 0] dns_secure_log_request()-1194: write to log: qname=wwww.example.com qtype=1
[worker 0] dns_profile_do_url_rating()-1943: vfid=0 profile=default category=255 domain=wwww.example.com
[worker 0] botnet_domain_search()-2121: domain=wwww.example.com passed botnet check
[worker 0] dns_profile_do_url_rating()-2051: request filter result for wwww.example.com (type=0 action=9)
[worker 0] dns_rating_cache_check()-575: domain=wwww.example.com
[worker 0] dns_rating_cache_check()-585: found cached category=39
[worker 0] dns_send_cached_response()-1642: domain=wwww.example.com
[worker 0] dns_query_save_response()-2557: domain=wwww.example.com pktlen=80
[worker 0] dns_adjust_ttl_values()-139
[worker 0] dns_adjust_ttl_values()-142: Offset of 1st RR: 35
[worker 0] dns_adjust_ttl_values()-144: Number of RR's: 2
[worker 0] dns_adjust_ttl_values()-155: New ttl: 7542
[worker 0] dns_adjust_ttl_values()-155: New ttl: 327
[worker 0] dns_forward_response()-1617
[worker 0] dns_secure_forward_response()-1573: category=39 profile=default
[worker 0] dns_profile_do_url_rating()-1943: vfid=0 profile=default category=39 domain=wwww.example.com <<<
[worker 0] dns_answer_is_blocked()-1683: translated reply ip=93.184.216.34 to 192.168.3.5 (id=6) <<<
[worker 0] dns_profile_do_url_rating()-2051: response filter result for wwww.example.com (type=6 action=9) <<<

 

Non-working debug outputs:

 

[worker 0] udp_receive_redirect()-3133: vd=0, vrf=0, intf=5, len=33, alen=16, 10.129.2.76:57225=>8.8.8.8
[worker 0] handle_dns_request()-2338: vfid=0 real_vfid=0 id=0x000c pktlen=33 qr=0 req_type=2
[worker 0] dns_parse_message()-603
[worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1
[worker 0] dns_secure_log_request()-1114: id:0x000c pktlen=33 profile=default ifindex=5
[worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1
[worker 0] dns_secure_log_request()-1194: write to log: qname=www.example.com qtype=1
[worker 0] dns_profile_do_url_rating()-1943: vfid=0 profile=default category=255 domain=www.example.com
[worker 0] botnet_domain_search()-2121: domain=www.example.com passed botnet check
[worker 0] dns_profile_do_url_rating()-2051: request filter result for www.example.com (type=0 action=9)
[worker 0] dns_rating_cache_check()-575: domain=www.example.com
[worker 0] dns_query_profile_check()-2148: cannot find SDNS server (domain=www.example.com)    <<<
[worker 0] dns_secure_apply_action()-2067: action=3 category=255 log=0 error_allow=0 profile=default    <<<
[worker 0] dns_secure_answer_redir()-1571
[worker 0] dns_secure_answer_redir()-1616: redir ip is not specified
[worker 0] dns_send_error_response()-1712: domain=www.example.com err=2

 

As per debug output is shown, it is necessary to check the connection between the FortiGate and SDNS server.
441
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.