Troubleshooting Tip: Clients unable to access machines by hostname while access by FQDN works

saleha · ‎03-12-2025

Description

This article describes how to troubleshoot and resolve an issue where traffic using the hostname as a destination fails while the same traffic using a Fully Qualified Domain Name FQDN works as expected. The lab example in this article uses FortiGate as a DHCP server and a DNS database server for demonstration purposes. However, the network concept is not vendor-specific.

Scope

FortiGate - FortiOS.

Solution

The following screenshot shows that the ECHO requests are receiving a reply when the FQDN is the target while failing to resolve the hostname when the destination is hostname:

This is the effect of a client that has no DNS-Suffix, which means the client sending these ECHO requests knows which domain the target machine belongs to.

To fix this issue, DNS-Suffix needs to be added to this client machine either manually, by modifying the IPV4 advanced settings, or automatically, by obtaining it from the DHCP server via DHCP option 15.

When the FortiGate is the DHCP server, the option is available in the CLI via the following configuration:

config system dhcp server
    edit 3
        set domain "dnslab.net"
        set default-gateway 10.83.1.1
        set netmask 255.255.255.0
        set interface "port6"
            config ip-range
                edit 1
                    set start-ip 10.83.1.2
                    set end-ip 10.83.1.254
                next
            end
        set dns-server1 10.83.1.1
    next
end

The result is that the source machine now adds the DNS-Suffix to the DNS query, which results in FortiGate as a DNS server being able to lookup the destination and provide the response with the matching IP. The following is the output of 'diagnose debug application dnsproxy -1' for illustration purposes:

[worker 0] udp_receive_request()-3199: vd=0, vrf=0, intf=7, len=33, alen=16, 10.56.1.2:52266=>10.56.1.1
[worker 0] handle_dns_request()-2446: vfid=0 real_vfid=0 id=0x1c81 pktlen=33 qr=0 req_type=3
[worker 0] dns_parse_message()-603
[worker 0] get_intf_policy()-1469: ifindex=7
[worker 0] dns_local_lookup()-2529: vfid=0, real_vfid=0, qname=lab2.dnslab.net, qtype=1, qclass=1, offset=33, map#=3 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=lab2.dnslab.net
[worker 0] dns_local_lookup()-2581: found zone=lab domain=dnslab.net
[worker 0] dnsentry_search()-506: domain=dnslab.net, name=lab2.dnslab.net, type=1
[worker 0] dnsentry_lookup()-430: domain=dnslab.net, name=lab2.dnslab.net, type=1
[worker 0] dnsentry_lookup()-440: found entry=lab2.dnslab.net
[worker 0] dns_section_encode()-2007: offset=33 max_sz=512
[worker 0] dns_rr_encode()-1896: entry=lab2.dnslab.net, type=1
[worker 0] dns_name_encode()-116: name=lab2.dnslab.net, len=15, offset=33
[worker 0] dnsentry_search()-506: domain=dnslab.net, name=dnslab.net, type=2
[worker 0] dnsentry_lookup()-430: domain=dnslab.net, name=dnslab.net, type=2
[worker 0] dns_section_encode()-2007: offset=49 max_sz=512 empty list
[worker 0] dns_section_encode()-2007: offset=49 max_sz=512 empty list
[worker 0] dns_query_save_response()-2676: domain=lab2.dnslab.net pktlen=49
[worker 0] dns_send_response()-1601: domain=lab2.dnslab.net reslen=49
[worker 0] __dns_udp_forward_response()-1478
[worker 0] __dns_udp_forward_response()-1489: vd-0 Send 49B via fd=7, family=2
[worker 0] __dns_udp_forward_response()-1493: set svf of fd to 0
[worker 0] __dns_udp_forward_response()-1543: vd=0 send 49B response 10.56.1.1:53=>10.56.1.2:52266
[worker 0] dns_query_delete()-587: orig id:0x1c81 local id:0x0000 domain=lab2.dnslab.net use=5 non-active
[worker 0] dns_query_cleanup()-566: use=2

The ping command receives a reply when the target is the hostname:

Troubleshooting Tip: Clients unable to access machines by hostname while access by FQDN works

You are leaving our website