Description
This article explains a potential cause for DNS Filter-related rating errors when using the older Unicast-based FortiGuard (i.e. 'no available Fortiguard SDNS servers'), as well as a method of improving the resiliency of the DNS Filtering function on the FortiGate to help mitigate this issue.
This article is relevant in the following specific scenarios:
- DNS Filtering is being used in proxy-based firewall policies on FortiOS 7.0 or later (DNS Filtering operates differently in flow-based firewall policies as of FortiOS 7.0).
- DNS Filtering is being used in general on FortiOS 6.4 or older.
- The FortiGate has been configured for Unicast-based FortiGuard (Anycast was introduced in FortiOS 6.4 and is the default method used as of FortiOS 6.4.3 and later).
Scope
FortiGates using Unicast-based FortiGuard.
Solution
Generally speaking, #config system fortiguard on the FortiGate may look like the following example when configured for Unicast-based FortiGuard:
# config system fortiguard
set fortiguard-anycast disable
set protocol https
set port 8888
set sdns-server-ip "208.91.112.220"
end
In the scenarios specified above, DNS Filtering (or rather the dnsproxy process on the FortiGate) will maintain a list of IP addresses pertaining to SDNS FortiGuard servers and use that list when sending out DNS Filter queries.
This aspect of the system is reasonably robust since the FortiGate can adjust the destination SDNS server based on its availability.
It is possible to view this list using the command diagnose test app dnsproxy 3:
To obtain this list, the FortiGate must first connect to any available SDNS FortiGuard server.
The dnsproxy process uses the sdns-server-ip setting to determine the first point of contact used when retrieving this list of Unicast SDNS servers, with 208.91.112.220 being the configured default for FortiOS.
However, if that singular SDNS server is not working (i.e. 208.91.112.220 is unreachable or unresponsive), then the dnsproxy process will not be able to obtain the list of SDNS servers it needs for handling DNS Filter queries.
This results in DNS Filtering blocking all traffic unless 'Allow DNS requests when a rating error occurs' is enabled by the administrator in the DNS Filter profile.
To address this single point of failure, a second IP address belonging to a valid SDNS server can be appended to the configuration.
Any IP address present in the list of SDNS servers can be appended:
config system fortiguard
set sdns-server-ip 208.91.112.220 173.243.138.81
OR
append sdns-server-ip 173.243.138.81
end
The DNS proxy process will query all addresses configured under sdns-server-ip simultaneously when it needs to request/update the SDNS server list, and it will take the first response that it receives. This eliminates a single point of failure for DNS Filter operation (in this case, 208.91.112.220) and also greatly reduces the possibility of DNS Filter blocks due to 'no available Fortiguard SDNS servers'
Note:
The status of FortiGuard SDNS Service can be checked using the following link:
- SDNS AnyCast: https://status.sdns-a.fortiguard.net/
- SDNS UniCast: https://status.sdns-u.fortiguard.net/
Related documents:
FortiOS 7.0 New Features - DNS filter handled by IPS engine in flow mode
