Troubleshooting Tip: DNS Filter Rating Server Unreachable

The DNS Filter rating server is visible as unreachable under Network -> DNS settings, follow these steps for troubleshooting:

Check the status of the FortiGuard server on this link:

http://status.fortimonitor.forticloud.com/fortiguardsdns

If the status is down or incidents are reported, change the DNS server from Fortiguard to a public DNS server.

Change DNS settings.
To do this, go to Network -> DNS, choose 'Specify' and enter the public DNS IP (eg 8.8.8.8 or 1.1.1.1) and ensure UDP/53 is enabled and TLS is disabled.

Change FortiGuard settings, open a CLI window, and type these commands if located in the US:

    set fortiguard-anycast disable
    set protocol udp
    set port 53
    set update-server-location USA
    set sdns-server-ip "208.91.112.220"
end

If located outside the US, then type these commands:

    set fortiguard-anycast disable
    set protocol udp
    set port 53
    set update-server-location automatic
    set sdns-server-ip "194.69.172.53"
end

The SDNS server 208.91.112.220 is located in California, US. The server 194.69.172.53 is located in London, UK.

Check Fortiguard DNS Rating Server License. In the CLI Console, run the command:

diagnose test application dnsproxy 3

Output 1:

From the above output :

Server IP: 173.243.140.53:853 and 139.138.105.53:853
Expiry Date: 2024-11-13
Expired Flag: expired=0 <----- This means the license is not expired.
Type: type=2 <----- The type of license, specific to Fortinet's classification.

Output 2:

For this server:

Server IP: 208.91.112.220:53
Expiry Date: 0000-00-00 <----- This indicates an invalid or unspecified expiry date.
Expired Flag: expired=1 <----- This means the license is expired.
Type: type=0 <----- The type of license, specific to Fortinet's classification, but 0 might indicate an invalid or unclassified type.

Check the expiry date under the LICENSE line and make sure it is not expired.