Created on 11-17-2021 10:27 PM Edited on 11-28-2024 11:48 PM By Jean-Philippe_P
Description |
This article describes when using the FortiGuard DNS server for Domain Name resolution, Authoritative DNS servers that are not compliant with the RFC 6891 (https://datatracker.ietf.org/doc/html/rfc6891) are returning FORMERR, SERVFAIL, or query times out. |
Scope | FortiGuard Public DNS server. |
Solution |
Sample DNS response from FortiGuard DNS server:
Some public DNS servers as Google DNS server 8.8.8.8 or CloudFlare DNS server are using a workaround to resolve Domain Name hold on Authoritative DNS servers non RFC 6891 compliant.
DNS resolution example with Public FortiGuard DNS and Google DNS:
FortiGuard (Not resolved):
dig <DomainNameNotCompliantwithRFC6891> @208.91.112.52
<Truncated>
;; ->>EADER<<- opcode: QUERY, status: SERVFAIL, id: 49963 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
<Truncated>
Google (Resolved):
dig <DomainNameNotCompliantwithRFC6891> @8.8.8.8
<Truncated>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14604 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
<Truncated>
;; ANSWER SECTION: <DomainNameNotCompliantwithRFC6891> 3600 IN A @ip
<Truncated>
To check if the Authoritative DNS server related to the domain name is compliant with RFC6891, go to the website:
To check if the remote authoritative servers are not EDNS-compliant:
To fix the issue: Update DNS software on Authoritative DNS servers which are not RFC 6891 compliant or use Google DNS. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.