SDNS servers are DNS servers used by DNS filter profiles. The DNS lookup requests will be sent to the FortiGuard DNS service and resolve end-user queries with an IP address and a domain rating that includes the FortiGuard category of the web page.

The SDNS server IP address might be different depending on location.  

The default FortiDNS server is located in the USA (IP address: 208.91.112.220), and the in the London server, UK (IP address: 194.69.172.53).

Follow the steps below  the DNS rating error is appearing (no available FortiGuard SDNS servers):

By default, FortiGate uses UDP port 53 to connect to the SDNS server.

1. Verify license validity and the connection between FortiGate and the SDNS server :

• Run the below command to verify the FortiGuard SDNS server.

diagnose test application dnsproxy 3

• From the output of the above command, check the FGD_DNS_SERVICE_LICENSE line. The SDNS server IP address might be different depending on location.

In this example, it is:

• Verify the communication between the FortiGate and the SDNS server.

Note:
Make sure the license is valid and not expired. The parameter 'expired' reflects the license status. 0 means that the license is valid and 1 means that the license is invalid.


In case of a valid license but not reflecting correctly on FortiGate GUI, follow this document Troubleshooting Tip: License not reflected in the GUI.

In the CLI Console:

execute ping 208.91.112.220

Note:

If VDOM is enabled, run the command under management VDOM.

2. Modify the FortiGuard setting through CLI console:

config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888
    set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53

The North American server should work in most cases.

However, it is possible to switch to the European server (IP address: 194.69.172.53) to see if it improves latency.

This command can be used to check the DNS proxy status. Use '?' to list down the Test level.

diagnose test application dnsproxy ?

1. Clear DNS cache

2. Show stats

3. Dump DNS setting

4. Reload FQDN

5. Requery FQDN

6. Dump FQDN

7. Dump DNS cache

8. Dump DNS DB

9. Reload DNS DB

10. Dump secure DNS policy/profile

11. Dump Botnet domain

12. Reload Secure DNS setting

13. Show Hostname cache

14. Clear Hostname cache

15. Show SDNS rating cache

16. Clear SDNS rating cache

17. DNS debug bit mask

18. Restart dnsproxy worker

Workaround:

If the security event in the DNS filter shows the message Rating error occurs, Allow DNS requests when a rating error occurs can be used as a workaround.

Note: Enable this option to allow all domains when FortiGuard DNS servers fail due to any connectivity issue with FortiGuard servers. It also provides access to the blocked categories in the selected DNS filter profile.

In the GUI:

In the CLI:

config dnsfilter profile

    edit "default"

        config ftgd-dns

            set options error-allow

        next

    end

Related documents:

• Troubleshooting for DNS filter
• (Optional) Changing the FortiDNS server and port
• Troubleshooting Tip: Unable to connect to FortiGuard servers