In this scenario, the internal network users perform a DNS query for www.example.com and do not get the original www.example.com IP address of 93.184.216.34. Instead, it is replaced with 192.168.3.4.
- To create a DNS Filter profile for DNS translation:
config dnsfilter profile
edit "DNS_Rewrite"
config dns-translation
edit 1
set src 93.184.216.34
set dst 192.168.3.4
next
- Apply the DNS filter profile to the firewall policy:
config firewall policy
edit 1
set name "All_Internet"
set srcintf "port3"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set dnsfilter-profile "DNS_Rewrite" <-----
set logtraffic all
set nat enable
next
- To perform a DNS proxy debug command to verify DNS translation traffic in working and non-working scenarios.
diag debug application dnsproxy 255
diag debug enable
Working debug outputs:
[worker 0] udp_receive_redirect()-3133: vd=0, vrf=0, intf=5, len=35, alen=16, 10.129.2.76:59943=>8.8.8.8 [worker 0] handle_dns_request()-2338: vfid=0 real_vfid=0 id=0x0016 pktlen=35 qr=0 req_type=2 [worker 0] dns_parse_message()-603 [worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1 [worker 0] dns_secure_log_request()-1114: id:0x0016 pktlen=35 profile=default ifindex=5 [worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1 [worker 0] dns_secure_log_request()-1194: write to log: qname=wwww.example.com qtype=1 [worker 0] dns_profile_do_url_rating()-1943: vfid=0 profile=default category=255 domain=wwww.example.com [worker 0] botnet_domain_search()-2121: domain=wwww.example.com passed botnet check [worker 0] dns_profile_do_url_rating()-2051: request filter result for wwww.example.com (type=0 action=9) [worker 0] dns_rating_cache_check()-575: domain=wwww.example.com [worker 0] dns_rating_cache_check()-585: found cached category=39 [worker 0] dns_send_cached_response()-1642: domain=wwww.example.com [worker 0] dns_query_save_response()-2557: domain=wwww.example.com pktlen=80 [worker 0] dns_adjust_ttl_values()-139 [worker 0] dns_adjust_ttl_values()-142: Offset of 1st RR: 35 [worker 0] dns_adjust_ttl_values()-144: Number of RR's: 2 [worker 0] dns_adjust_ttl_values()-155: New ttl: 7542 [worker 0] dns_adjust_ttl_values()-155: New ttl: 327 [worker 0] dns_forward_response()-1617 [worker 0] dns_secure_forward_response()-1573: category=39 profile=default [worker 0] dns_profile_do_url_rating()-1943: vfid=0 profile=default category=39 domain=wwww.example.com <<< [worker 0] dns_answer_is_blocked()-1683: translated reply ip=93.184.216.34 to 192.168.3.5 (id=6) <<< [worker 0] dns_profile_do_url_rating()-2051: response filter result for wwww.example.com (type=6 action=9) <<<
Non-working debug outputs:
[worker 0] udp_receive_redirect()-3133: vd=0, vrf=0, intf=5, len=33, alen=16, 10.129.2.76:57225=>8.8.8.8 [worker 0] handle_dns_request()-2338: vfid=0 real_vfid=0 id=0x000c pktlen=33 qr=0 req_type=2 [worker 0] dns_parse_message()-603 [worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1 [worker 0] dns_secure_log_request()-1114: id:0x000c pktlen=33 profile=default ifindex=5 [worker 0] dns_policy_find_by_idx()-2650: vfid=0 idx=1 [worker 0] dns_secure_log_request()-1194: write to log: qname=www.example.com qtype=1 [worker 0] dns_profile_do_url_rating()-1943: vfid=0 profile=default category=255 domain=www.example.com [worker 0] botnet_domain_search()-2121: domain=www.example.com passed botnet check [worker 0] dns_profile_do_url_rating()-2051: request filter result for www.example.com (type=0 action=9) [worker 0] dns_rating_cache_check()-575: domain=www.example.com [worker 0] dns_query_profile_check()-2148: cannot find SDNS server (domain=www.example.com) <<< [worker 0] dns_secure_apply_action()-2067: action=3 category=255 log=0 error_allow=0 profile=default <<< [worker 0] dns_secure_answer_redir()-1571 [worker 0] dns_secure_answer_redir()-1616: redir ip is not specified [worker 0] dns_send_error_response()-1712: domain=www.example.com err=2
As the debug output is shown, it is necessary to check the connection between the FortiGate and the SDNS server.
Note :
From v7.0.x on words Debugs for DNS translation has been moved to IPS debug, hence need to run IPS debugs as below. make sure the Firewall policy is in flow mode as it is operating on an IPS engine.
dia ips debug enable all
dia debug enable
Output:
[3482@8]ips_run_session_verdict_check: serial=5807 session is ACTIVE [3482@8]ips_dsct_session_loop: serial=5807 only: dns_udp [3482@8]dns_dissector: Operation Code: 0 flags 0x8180 [3482@8]dissect_query_records: dns request: name example.com, type 1, class 0x1, size 13 [3482@8]dissect_answer_records: dns reply: name example.com, type 1, class 0x1, size 2 [3482@8]dns_type_a: 93.184.216.34 [3482@8]translate_address_ipv4: translated resolved ip 93.184.216.34 to 1.1.1.20 (1) <<<<<<<<<<<<<<<<< [3482@8]set_dns_redirect_message: DNS redirect UDP session 8 to 1.1.1.20 <<<<<<<<<<<<<<<<<<<<< [3482@8]ips_send_cached_udp_packet: sess 8, send UDP packet, len 59 [3482@8]ips_eng_send_packet: send packet len=87 flags=3 0000 45 00 00 57 0E 9D 00 00 FF 11 91 73 08 08 08 08 E..W.......s.... 0010 0A 31 01 45 00 35 E5 FB 00 43 49 FE .1.E.5...CI.
The below command can be used too:
dia test application dnsproxy 13
0.190.167.19 (domain=login.microsoftonline.com, ttl=86355)
20.190.167.19 (domain=login.microsoft.com, ttl=86348)
20.190.167.19 (domain=login.windows.net, ttl=86380)
1.1.1.20 (domain=example.com, ttl=86297) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
20.190.167.20 (domain=login.microsoft.com, ttl=86348)
20.190.167.20 (domain=login.microsoftonline.com, ttl=86355)
20.190.167.20 (domain=login.windows.net, ttl=86380)
|