FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amuda
Staff
Staff
Article Id 336985
Description This article describes what to look for when FQDN fails to resolve an IP if the DNS profile is enabled in the DNS Server configuration.
Scope FortiGate, DNS.
Solution

When trying to do nslookup on FQDN that exists in DNS Server DB, the request timed out.

 

nslookup failed.jpg

 

The issue was identified to be related to SDNS reachability by running a dnsproxy debug:

 

diagnose debug application dnsproxy -1

diagnose debug enable

 

failed.jpg

 

Check upstream if this IP address (173.243.140.53; used for DNS rating) is blocked.

 

As a workaround, it is possible to disable the DNS profile in the DNS Server configuration.

 

delete dns-profile.jpg

 

It can resolve FQDN to an IP address post changes.

 

nslookup success.jpg