| Description | This article describes how to verify the unusual FQDN query from FortiGate. |
| Scope | FortiGate v7.2. |
| Solution |
FortiGate's upstream IPS device reported that its wan interface IP address sent malware FQDN query to DNS server.
The client-side traffic flow by design does not deploy Source NAT to translate to wan IP address, the DNS query from the client will directly send to the DNS server through the original IP address.
Searching for the malware FQDN in address objects then found it has been created by an operator for deny policy rule.
The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses configured. That caused the FortiGate itself to send malware FQDN (configured) queries frequently.
To verify the FQDN addresses and its resolved IP’s from CLI, use the below command:
dia firewall fqdn list
In this case, an external resource for a DNS filter or domain name threat feed will be a better solution to deny malware connection from the client side.
Related documents: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/707266/fqdn-addresses |
