Technical Tip: Locally generated traffic for DNS not matching SD-WAN rule with source address configured

sagha · ‎08-15-2020

Description
This article describes the scenario where a SD-WAN rule for locally generated DNS traffic is configured with source address, the traffic will not be matched to SD-WAN rule unless 'source-ip' is not defined under ‘config system dns’.
Alternatively, in order to match the SD-WAN rule for DNS traffic, the source address configured has to be removed.
Scope
For version 6.2.4 and onward.

Solution
Configuration.

# config system virtual-wan-link
    set status enable
# config members
    edit 1
        set interface "wan1"
        set gateway 10.191.19.1
    next
        edit 2
            set interface "wan2"
            set gateway 10.191.35.1
        next
    end

# config service
    edit 2
        set name "dns"
        set mode sla
        set dst "all"
        set src "10.191.35.75" "10.191.19.75"
# config sla
    edit "internet"
        set id 1
    next
end
    set priority-members 2 1
next
    end
end

DNS Configuration.

# config system dns
set primary 208.91.112.52
set interface-select-method sdwan
end

With the new command introduced in v6.2.4, a method can be selected for locally originated traffic.
It can either be SD-WAN, auto or specific interface (see related article).
Having interface-select-method as SD-WAN under DNS configuration, the traffic has to be match SD-WAN rule.
However, since there is no source-ip defined under ‘config system dns’, it will not.

# diagnose firewall proute list
list route policy info(vf=root):
id=0x7f060001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(2): 10.191.35.75-10.191.35.75 10.191.19.75-10.191.19.75
destination(1): 208.91.112.52-208.91.112.52
hit_count=0 last_used=2020-07-03 15:45:15

Note.
If there is no 'source-ip' defined under 'config system dns' before matching SD-WAN rule, DNS does not know which source to use and 'source-ip' field will be 0 and will not match that rule.

Solution.

1) Configure 'source-ip' under ‘config system dns’ and use that as source in SD-WAN rule.

## DNS config: ##

# config system dns
    set primary 208.91.112.52
    set source-ip 10.191.19.75
    set interface-select-method sdwan
end

## SD-WAN config ##

# config system virtual-wan-link
# config service
    edit 2
        set name "dns"
        set mode sla
        set dst "all"               <----- Destination as all.
        set src "10.191.19.75”      <----- Define source.
                next
            end
        end
# diagnose firewall proute list
list route policy info(vf=root):

id=0x7f080001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(2): 10.191.19.75-10.191.19.75
destination(1): 0.0.0.0-255.255.255.255
hit_count=15 last_used=2020-07-09 09:52:01
This is not an ideal solution in scenarios where the configuration has multiple SD-WAN interfaces and a dynamic DNS 'source-ip' selection is required.

2) Avoid using source in the SD-WAN rule and use destination instead with IP of DNS server.

## SD-WAN config ##
# config system virtual-wan-link
# config service
    edit 2
        set name "dns"
        set mode sla
        set dst " 208.91.112.52"    <----- Define DNS server here.
        set src "all”               <----- Configure source as all.
    next
end
end
The traffic will match with the SD-WAN rule then.
# diagnose firewall proute list
list route policy info(vf=root):
id=0x7f070001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(1): 0.0.0.0-255.255.255.255 <---- Source removed.
destination(1): 208.91.112.52-208.91.112.52
hit_count=2 last_used=2020-07-03 15:47:14
Related document.

https://docs.fortinet.com/document/fortigate/6.2.4/cli-reference/27620/system-dns

Related Articles
Technical Tip: Functionality of 'set interface-select-method' for local-traffic with SD-WAN