Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiGate Cloud
- FortiEDR
- FortiGuard
- FortiExtender
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMonitor
- FortiMail
- FortiManager
- FortiNAC
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiNAC-F
- FortiPhish
- FortiPortal
- FortiPAM
- FortiPresence
- FortiProxy
- FortiSRA
- FortiSandbox
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSOAR
- FortiSASE
- FortiSIEM
- FortiTester
- FortiToken
- FortiVoice
- FortiSwitch
- FortiWAN
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- FortiWeb
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: How to fix the DNS error 'cannot fi...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
| Description | This article describes how to troubleshoot the 'cannot find SDNS server (error allow domain=<url>)' error when a DNS filter profile is applied on FortiGate. |
| Scope | FortiGate v6.2.0+, v6.4.0+, v7.2.0+, v7.4.0+, v7.6.0+ |
| Solution |
After the DNS filter profile and ssl-ssh-profile are applied to the firewall policy and when users try to browser to the Internet, the URL is not filtered according to the FortiGuard categories defined on the DNS filter profile.
Using the dnsproxy debug as follows to search for URL DNS query: diagnose debug application dnsproxy -1 diagnose debug console timestamp enable
In this example, the URL xxx.com belongs to a blocked DNS category, but the user is still able to access it. Debug shows the following message: [worker 0] dns_policy_find_by_idx()-2611: vfid=0 idx=1 [worker 0] dns_secure_log_request()-1197: write to log: qname=xxx.com qtype=1 [worker 0] dns_profile_do_url_rating()-1922: vfid=0 profile=TAC category=255 domain=xxx .com
[worker 0] botnet_domain_search()-2086: domain=xxxx.com passed botnet check [worker 0] dns_rating_cache_check()-575: domain=xxx.com [worker 0] handle_dns_request()-2276: cannot find SDNS server (error allow domain=xxx.com) < --- [worker 0] dns_send_request()-1385 [worker 0] dns_send_resol_request()-1239: orig id: 0xa537 local id: 0xa537 domain=xxx.com [worker 0] dns_udp_forward_request()-1067: vdom=root req_type=2 domain=xxx.com tls=0 oif=0 [worker 0] dns_udp_forward_request()-1154: Use source ip [192.168.13.105]:55661 via fd=21 [worker 0] dns_udp_forward_request()-1187: Send 29B to [96.45.45.45]:53 via fd=21 request:1 [worker 0] udp_receive_redirect()-2930 [worker 0] batch_on_read()-3176 [worker 0] udp_receive_redirect()-2930 [worker 0] udp_receive_redirect()-2987: vd=0, vrf=0, intf=3, len=473, alen=16, 96.45.45.45:53=>192.168.13.105 [worker 0] dns_query_handle_response()-2465: vfid=0 real_vfid=0 vrf=0 id=0xa537 domain=xxx.com pktlen=473 [worker 0] dns_query_save_response()-2445: domain=xxx.com pktlen=473 [worker 0] dns_set_min_ttl()-185: QR: xxx.com [worker 0] dns_set_min_ttl()-193: Offset of 1st RR: 29 Number of RR's: 15 [worker 0] dns_set_min_ttl()-203: RR TTL: 1680 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 138654 [worker 0] dns_set_min_ttl()-203: RR TTL: 146768 [worker 0] dns_set_min_ttl()-203: RR TTL: 151931 [worker 0] dns_set_min_ttl()-203: RR TTL: 158679 [worker 0] dns_set_min_ttl()-203: RR TTL: 159094 [worker 0] dns_set_min_ttl()-203: RR TTL: 163152 [worker 0] dns_set_min_ttl()-203: RR TTL: 163152 [worker 0] dns_cache_response()-288: Min ttl = 1680 [worker 0] dns_forward_response()-1603 [worker 0] dns_secure_forward_response()-1559: category=255 profile=TAC [worker 0] dns_visibility_log_hostname()-238: vd=0 pktlen=473 [worker 0] wildcard_fqdn_response_cb()-895: vd=0 pktlen=473 [worker 0] hostname_entry_insert()-143: af=2 domain=xxx.com [worker 0] dns_profile_do_url_rating()-1922: vfid=0 profile=TAC category=255 domain=xxx.com
[worker 0] dns_secure_apply_action()-2036: action=9 category=255 log=0 error_allow=1 profile=TAC [worker 0] dns_send_response()-1530: domain=xxx.com reslen=473 [worker 0] dns_secure_log_response()-1271: id:0x37a5 domain=xxx.com profile=TAC action=9 log=0 [worker 0] dns_policy_find_by_idx()-2611: vfid=0 idx=1 [worker 0] dns_secure_log_response()-1509: write to log: logid=54800 qname=xxx.com [worker 0] __dns_udp_forward_response()-1417 [worker 0] __dns_udp_forward_response()-1429: vd-0 Send 473B via fd=19, family=2 [worker 0] __dns_udp_forward_response()-1432: set svf of fd to 0 [worker 0] __dns_udp_forward_response()-1476: vd=0 send 473B response 96.45.45.45:53=>192.168.13.105:55661 [worker 0] dns_query_delete()-571: orig id:0xa537 local id:0xa537 domain=xxx.com active [worker 0] udp_receive_redirect()-2930 [worker 0] batch_on_read()-3176 [worker 0] udp_receive_redirect()-2930
The following error shows because the SDNS servers are not available: diagnose test application dnsproxy 3 FGD_CATEGORY_VERSION:8 SERVER_LDB: gid=5878, tz=-300, error_allow=0 FGD_REDIR_V4:FGD_REDIR_V6: The DNS filter profile is configured to allow the traffic when FortiGuard DNS servers fail: config dnsfilter profile edit "TAC" config ftgd-dns set options error-allow end end
(ftgd-dns) # set options error-allow Allow all domains when FortiGuard DNS servers fail. ftgd-disable Disable FortiGuard DNS domain rating.
config system fortiguard unset sdns-server-ip set sdns-server-port 53 end
The default FortiDNS server located in the USA (IP address: 208.91.112.220) can be used. Another option is to switch to the server in London, UK (IP address: 194.69.172.53):
config system fortiguard set sdns-server-ip 208.91.112.220 end
diagnose test application dnsproxy 3 FGD_DNS_SERVICE_LICENSE: server=208.91.112.220:53, expiry=2025-06-01, expired=0, type=2 server=65.0.232.185:53, expiry=2025-06-01, expired=0, type=2 server=173.243.138.81:53, expiry=2025-06-01, expired=0, type=2 server=83.231.212.53:53, expiry=2025-06-01, expired=0, type=2 server=210.7.96.53:53, expiry=2025-06-01, expired=0, type=2 server=194.69.172.53:53, expiry=2025-06-01, expired=0, type=2 server=208.184.237.71:53, expiry=2025-06-01, expired=0, type=2 server=154.52.12.53:53, expiry=2025-06-01, expired=0, type=2 server=154.52.30.55:53, expiry=2025-06-01, expired=0, type=2 server=154.52.24.53:53, expiry=2025-06-01, expired=0, type=2 server=154.52.26.53:53, expiry=2025-06-01, expired=0, type=2 server=149.5.232.53:53, expiry=2025-06-01, expired=0, type=2 FGD_CATEGORY_VERSION:8 SERVER_LDB: gid=8cf4, tz=-300, error_allow=0 FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2620:101:9000:53::55]
After that, when users try to access the reported URL, access is blocked by the DNS profile FortiGuard category:
2024-10-22 13:49:21 [worker 0] dns_policy_find_by_idx()-2611: vfid=0 idx=1 2024-10-22 13:49:21 [worker 0] dns_secure_log_request()-1197: write to log: qname=xxx.com qtype=1 2024-10-22 13:49:21 [worker 0] dns_profile_do_url_rating()-1922: vfid=0 profile=TAC category=255 domain=xxx.com
2024-10-22 13:49:21 [worker 0] botnet_domain_search()-2086: domain=xxx.com passed botnet check 2024-10-22 13:49:21 [worker 0] dns_rating_cache_check()-575: domain=xxx.com 2024-10-22 13:49:21 [worker 0] dns_send_request()-1385 2024-10-22 13:49:21 [worker 0] dns_send_rating_request()-959: orig id: 0x6665 local id: 0x6665 domain=xxx.com 2024-10-22 13:49:21 [worker 0] dns_find_best_server()-553: vfid=0 profiled=1 last server: 2024-10-22 13:49:21 [worker 0] dns_request_secure_RR_append()-575 2024-10-22 13:49:21 [worker 0] dns_request_secure_RR_create()-447 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_alloc()-167: type=7 length=4 2024-10-22 13:49:21 [worker 0] dns_request_secure_RR_create()-481: flag=10 gid=f48c 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_encode()-213: buffer sz=998 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_dump()-159: type=7 len=4 value=0x00000008 2024-10-22 13:49:21 [worker 0] dns_secure_txt_RR_char_string_encode()-374 2024-10-22 13:49:21 [worker 0] dns_request_secure_RR_create()-539: rdlen=45 p=0x7fffcad8d48a buf=0x7fffcad8d430 batch_on_read()-3176 2024-10-22 13:49:21 [worker 0] _udp_receive_response()-3053: vd-0: len=96, addr=208.91.112.220:53, rating=1 2024-10-22 13:49:21 [worker 0] dns_query_handle_rating_response()-2560: id:0x6665 domain=xxx.com pktlen=96 2024-10-22 13:49:21 [worker 0] dns_secure_handle_response()-841 2024-10-22 13:49:21 [worker 0] dns_response_secure_RR_parse()-812 2024-10-22 13:49:21 [worker 0] dns_parse_message()-603 2024-10-22 13:49:21 [worker 0] dns_parse_message()-663: TXT RR qname=secure-dns-version-1.fortinet.com 2024-10-22 13:49:21 [worker 0] dns_secure_txt_RR_char_string_decode()-412 2024-10-22 13:49:21 [worker 0] dns_response_secure_RR_rdata_parse()-728: len=20 data=464236345a51654d3941414141414d414151343d 2024-10-22 13:49:21 [worker 0] dns_response_secure_RR_rdata_parse()-783: flag=0 gid=8cf4 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_decode()-247: len=5, data=000300010e 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_alloc()-167: type=3 length=1 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_dump()-159: type=3 len=1 value=0x0e 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_find_by_type()-200: found type=3 2024-10-22 13:49:21 [worker 0] dns_secure_TLV_free()-185 2024-10-22 13:49:21 [worker 0] dns_rating_cache_add()-619:domain=xxx.com category=14 <----- FortiGuard Category ID 14 blocked on DNS filter profile. 2024-10-22 13:49:21 [worker 0] batch_on_read()-3176 2024-10-22 13:49:21 [worker 0] udp_receive_redirect()-2930 2024-10-22 13:49:21 [worker 0] udp_receive_redirect()-2987: vd=0, vrf=0, intf=4, len=33, alen=16, 192.168.13.105:62296=>96.45.46.46 2024-10-22 13:49:21 [worker 0] handle_dns_request()-2107: vfid=0 real_vfid=0 id=0x6665 pktlen=33 qr=0 req_type=2 2024-10-22 13:49:21 [worker 0] dns_parse_message()-603 2024-10-22 13:49:21 [worker 0] dns_secure_get_policy_profile()-2645: vd=0 192.168.13.105:62296=>96.45.46.46:53 2024-10-22 13:49:21 [worker 0]dns_policy_find_by_idx()-2611: vfid=0 idx=1 <- Firewall policy ID 1.
Related documents: Troubleshooting Tip: DNS rating error occurs (no available FortiGuard SDNS servers) |
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.