Technical Tip: How to interpret the DNS answer fro...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 384786

Description

This article describes how to interpret the DNS answer from the encrypted DNS communication used over the TLS (DoT).

Scope

FortiGate.

Solution

To check what was the DNS answer for queries using cleartext (port 53) it is enough just using the sniffer.

For the encrypted communications when DoT is enable, it is not possible to have it from the sniffer command, but from the debug command.

The debug commands are:

diagnose debug reset       <--- to reset any triggered debug before
diagnose debug console timestamp enable      <--- allow the Timestamp
diagnose debug application dnsproxy -1
diagnose debug enable

Looking for the lines:

...
dns_cache_response()-270: Response is error (3) will not cache    <--- NXDOMAIN
...
dns_cache_response()-289: Response contains no answer. Will not cache  <---  NOERROR (Empty answer)
...
dns_cache_response()-310: Min ttl = XX   <--- NOERROR (normal answer with the respective record)
...

These codes (270, 289, and 310) are the same for both communications, cleartext and encrypted.

240

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: How to interpret the DNS answer from DNS over TLS (DoT)

Description

Scope

Solution

You are leaving our website