Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
navellano
Staff
Staff

Created on ‎09-26-2022 06:23 AM Edited on ‎01-14-2025 06:20 AM By Moderator

Article Id 224872

Troubleshooting Tip: DNS rating error occurs (no available FortiGuard SDNS servers)

Description This article describes the basic troubleshooting when a DNS rating error is encountered (no available FortiGuard SDNS servers).
Scope FortiGate v6.0 and above.
Solution

SDNS servers are DNS servers used by DNS filter profiles. The DNS lookup requests will be sent to the FortiGuard DNS service and resolve end-user queries with an IP address and a domain rating that includes the FortiGuard category of the web page.

 

The SDNS server IP address might be different depending on location.  

 

The default FortiDNS server is located in the USA (IP address: 208.91.112.220), and the in the London server, UK (IP address: 194.69.172.53).

 

Follow the steps below  the DNS rating error is appearing (no available FortiGuard SDNS servers):

 

By default, FortiGate uses UDP port 53 to connect to the SDNS server.

 

  1. Verify license validity and the connection between FortiGate and the SDNS server :
  • Run the below command to verify the FortiGuard SDNS server.

 

diagnose test application dnsproxy 3

 

  • From the output of the above command, check the FGD_DNS_SERVICE_LICENSE line. The SDNS server IP address might be different depending on location.

 

In this example, it is:

 

navellano_0-1664197811021.png

 

  • Verify the communication between the FortiGate and the SDNS server.

 

Note:
Make sure the license is valid and not expired. The parameter 'expired' reflects the license status. 0 means that the license is valid and 1 means that the license is invalid.

Screenshot 2025-01-10 131935.png
In case of a valid license but not reflecting correctly on FortiGate GUI, follow this document Troubleshooting Tip: License not reflected in the GUI.

In the CLI Console:

 

execute ping 208.91.112.220

 

navellano_1-1664197811025.png

 

Note:

If VDOM is enabled, run the command under management VDOM.

 

  1. Modify the FortiGuard setting through CLI console:

 

config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888
    set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53

 

navellano_2-1664197811027.png

 

The North American server should work in most cases.

However, it is possible to switch to the European server (IP address: 194.69.172.53) to see if it improves latency.

 

This command can be used to check the DNS proxy status. Use '?' to list down the Test level.

 

diagnose test application dnsproxy ?

1. Clear DNS cache

2. Show stats

3. Dump DNS setting

4. Reload FQDN

5. Requery FQDN

6. Dump FQDN

7. Dump DNS cache

8. Dump DNS DB

9. Reload DNS DB

10. Dump secure DNS policy/profile

11. Dump Botnet domain

12. Reload Secure DNS setting

13. Show Hostname cache

14. Clear Hostname cache

15. Show SDNS rating cache

16. Clear SDNS rating cache

17. DNS debug bit mask

18. Restart dnsproxy worker

 

Related documents:

Troubleshooting for DNS filter

(Optional) Changing the FortiDNS server and port
20092
Suggest New Article
Article Feedback
Comments
janonuevo
Staff
Staff
‎10-18-2022 03:59 PM

This is very informative and helpful. Kudos to the Author!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.