| Description |
This article describes how to troubleshoot DNS filter queries that resolves with FortiGuard IPs. |
| Scope | FortiGate. |
| Solution |
When a DNS query resolves with FortiGuard IPs (for example, 208.91.112.55), it means that the DNS query is matching a DNS filter which is redirecting the traffic to the FortiGuard Block Portal.
Consider a common scenario:
In this scenario:
config system dns-server
DNS filters can also be applied to firewall policies.
This means that FortiGate checks the categories of the DNS queries with FortiGuard. The default DNS filter profile (as well as any newly created DNS filter profile) is configured to redirect any DNS query that is categorized as as 'Security Risk' to the block portal.
In this example, the action for the Domain Parking category is set to Redirect to Block Portal. If the end user tries to reach a website that is categorized as Domain Parking, it gets blocked.
The DNS query is resolved with FortiGuard IP 208.91.112.55.
It is possible to filter for particular domains in the DNS filter. This is something that should be done to avoid having the FortiGate forwarding internal/local DNS queries to FortiGuard.
In most cases, these DNS queries are unknown for FortiGuard and will be categorized as 'Unrated', for which the default action is 'Monitor. However, FortiGuard may categorize an entry as 'Newly Observed Domain' or any category for which the action is 'Redirect to Block Portal', eventually preventing access to an internal resource.
In this scenario, the administrator should avoid forwarding internal domains to FortiGuard at all.
In this example, assume test.com is an internal domain. FortiGate forwards the following DNS query to FortiGuard, which categorizes it as 'Domain Parking' and blocks the connection.
In the DNS filter, Domain filters can be configured in order to set up a static action to a particular DNS entry or domains.
The a.test.com example now works correctly.
|
