Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
navellano
Staff
Staff

Created on ‎09-26-2022 06:23 AM Edited on ‎09-16-2024 12:04 AM By Community Manager

Article Id 224872

Troubleshooting Tip: DNS rating error occurs (no available FortiGuard SDNS servers)

Description This article describes the basic troubleshooting when  a DNS rating error is encountered (no available FortiGuard SDNS servers).
Scope FortiGate v6.0 and above.
Solution

SDNS servers are DNS servers used by DNS filter profiles. The DNS lookup requests will be sent to the FortiGuard DNS service and resolve end-user queries with an IP address and a domain rating that includes the FortiGuard category of the web page.

 

The SDNS server IP address might be different depending on location.  

 

The default FortiDNS server is located in the USA (IP address: 208.91.112.220), and the in the London server, UK (IP address: 194.69.172.53).

 

Follow the steps below  the DNS rating error is appaearing (no available FortiGuard SDNS servers):

 

By default, FortiGate uses UDP port 53 to connect to the SDNS server.

 

  1. Verify the connection between FortiGate and the SDNS server:
  • Run below command to verify the FortiGuard SDNS server.

 

diagnose test application dnsproxy 3

 

  • From the output of the above command, check the FGD_DNS_SERVICE_LICENSE line.The SDNS server IP address might be different depending on location.

In this example, it is:

 

navellano_0-1664197811021.png

 

  • Verify the communication between the FortiGate and the SDNS server.

 

In the CLI Console:

 

execute ping 208.91.112.220

 

navellano_1-1664197811025.png

 

Note:

If VDOM is enabled, run the command under management VDOM.

 

  1. Modify the FortiGuard setting through CLI console:

 

 

config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888
    set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53

 

navellano_2-1664197811027.png

 

The North American server should work in most cases.

However, it is possible to switch to the European server (IP address: 194.69.172.53) to see if it improves latency.

 

This command can be used to check the DNS proxy status. Use '?' to list down the Test level.

 

diagnose test application dnsproxy ?

  1. Clear DNS cache
  2. Show stats
  3. Dump DNS setting
  4. Reload FQDN
  5. Requery FQDN
  6. Dump FQDN
  7. Dump DNS cache
  8. Dump DNS DB
  9. Reload DNS DB
  10. Dump secure DNS policy/profile
  11. Dump Botnet domain
  12. Reload Secure DNS setting
  13. Show Hostname cache
  14. Clear Hostname cache
  15. Show SDNS rating cache
  16. Clear SDNS rating cache
  17. DNS debug bit mask
  18. Restart dnsproxy worker

 

Related documents:

Troubleshooting for DNS filter

(Optional) Changing the FortiDNS server and port
17915
Suggest New Article
Article Feedback
Comments
janonuevo
Staff
Staff
‎10-18-2022 03:59 PM

This is very informative and helpful. Kudos to the Author!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.