This article describes how to use the FortiGuard DNS server for Domain Name resolution. Authoritative DNS servers that are not compliant with RFC 6891 (https://datatracker.ietf.org/doc/html/rfc6891) are returning FORMERR, SERVFAIL, or query times out.

Sample DNS response from FortiGuard DNS server:

Some public DNS servers as Google DNS server 8.8.8.8 or CloudFlare DNS server are using a workaround to resolve Domain Name hold on Authoritative DNS servers non RFC 6891 compliant.

DNS resolution example with Public FortiGuard DNS and Google DNS:

FortiGuard (Not resolved):

dig <DomainNameNotCompliantwithRFC6891> @208.91.112.52

<Truncated>

;; ->>EADER<<- opcode: QUERY, status: SERVFAIL, id: 49963

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

<Truncated>

Google (Resolved):

dig <DomainNameNotCompliantwithRFC6891> @8.8.8.8

<Truncated>

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14604

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

<Truncated>

;; ANSWER SECTION:

<DomainNameNotCompliantwithRFC6891>               3600    IN      A       @ip

<Truncated>

To check if the Authoritative DNS server related to the domain name is compliant with RFC6891, go to the website: 

DNS flag day 2020

To check if the remote authoritative servers are not EDNS-compliant:

EDNS Compliance Tester

Workaround:

Configure DNS forwarding for the domain to use Google DNS:

config system dns-database
     edit "<DomainNameNotCompliantwithRFC6891>"
         set domain "<DomainNameNotCompliantwithRFC6891>"
         set authoritative disable
         set forwarder "8.8.8.8"
     next
end

Use the below for more information about DNS conditional forwarding:Technical Tip: DNS conditional forwarding

To fix the issue, update the DNS software on Authoritative DNS servers that are not RFC 6891 compliant or use Google DNS.