Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
johnathan
Staff
Staff

Created on ‎08-27-2025 11:23 AM

Article Id 408506

Troubleshooting Tip: DNS filter is giving rating errors, even though there is connectivity to the SDNS servers

Description This article describes a scenario where the SDNS servers are replying to the FortiGate for DNS ratings, yet the DNS filter is still reporting rating errors
Scope FortiOS, DNS filter
Solution

When looking at the logs for the DNS filter, and queries are getting blocked due to rating errors, this is usually a network related issue. If it is possible to see the SDNS server reply in a PCAP/sniffer and this error is still seen, the FortiGate may be hitting a unique scenario.

The way that the FortiGate receives DNS ratings is via a TXT record included on the DNS response from the SDNS server.

The following screenshot is an example of this response, with the TXT record included:

 

working resp.png


The following is an example of the response in a non-working scenario:

 

notworking2.PNG

 

It is possible to see that the TXT record is missing. This can be caused if the ISP or a device in between the FortiGate and the internet are doing some sort of DNS inspection, and are stripping this record off the response. 
139
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.