FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable
Article Id 198910
Description

This article describes when using the FortiGuard DNS server for Domain Name resolution, Authoritative DNS servers that are not compliant with the RFC 6891 (https://datatracker.ietf.org/doc/html/rfc6891) are returning FORMERR, SERVFAIL, or query times out.

Scope FortiGuard Public DNS server.
Solution

Sample DNS response from FortiGuard DNS server:

 

dns-png.png

 

 

Some public DNS servers as Google DNS server 8.8.8.8 or CloudFlare DNS server are using a workaround to resolve Domain Name hold on Authoritative DNS servers non RFC 6891 compliant.

 

DNS resolution example with Public FortiGuard DNS and Google DNS:

 

FortiGuard (Not resolved):

 

dig <DomainNameNotCompliantwithRFC6891> @208.91.112.52

 

<Truncated>

 

;; ->>EADER<<- opcode: QUERY, status: SERVFAIL, id: 49963

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

 

<Truncated>

 

Google (Resolved):

 

dig <DomainNameNotCompliantwithRFC6891> @8.8.8.8

 

<Truncated>

 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14604

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

<Truncated>

 

;; ANSWER SECTION:

<DomainNameNotCompliantwithRFC6891>               3600    IN      A       @ip

 

<Truncated>

 

To check if the Authoritative DNS server related to the domain name is compliant with RFC6891, go to the website: 

DNS flag day 2020

 

To check if the remote authoritative servers are not EDNS-compliant:

EDNS Compliance Tester

 

To fix the issue: Update DNS software on Authoritative DNS servers which are not RFC 6891 compliant or use Google DNS.