Description
This article provides commands to help understand if traffic is processed by the DNS session helper.
Scope
FortiGate.
Solution
DNS session helper is a built-in feature that helps improve the performance and security of DNS traffic. It acts as a proxy between the clients and external DNS servers.
Topology: Client 10.14.2.109 --- (10.14.2.54 port1) FortiGate (port32 10.56.246.54) -- DNS server 10.56.10.10.
Traffic from the DNS session helper is shown as follows (this is the debug flow output):
id=65308 trace_id=138 func=print_pkt_detail line=5795 msg="vd-CONNECT:0 received a packet(proto=17, 10.14.2.109:64504->10.56.10.10:53) tun_id=0.0.0.0 from port1. "
id=65308 trace_id=138 func=init_ip_session_common line=5980 msg="allocate a new session-01610aca, tun_id=0.0.0.0"
id=65308 trace_id=138 func=iprope_dnat_check line=5297 msg="in-[port1], out-[]"
id=65308 trace_id=138 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=138 func=iprope_dnat_check line=5309 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=138 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.56.247.254 via port32"
id=65308 trace_id=138 func=iprope_fwd_check line=792 msg="in-[port1], out-[port32], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=138 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=38, len=4"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-901, ret-matched, act-accept"
id=65308 trace_id=138 func=__iprope_user_identity_check line=1825 msg="ret-matched"
id=65308 trace_id=138 func=__iprope_check line=2299 msg="gnum-4e25, check-ffffffffa002ee40"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e25 policy-14, ret-no-match, act-accept"
id=65308 trace_id=138 func=__iprope_check line=2316 msg="gnum-4e25 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=138 func=get_new_addr line=1231 msg="find SNAT: IP-10.56.246.54(from IPPOOL), port-64504"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2269 msg="policy-901 is matched, act-accept"
id=65308 trace_id=138 func=iprope_fwd_check line=829 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-901"
id=65308 trace_id=138 func=iprope_fwd_auth_check line=848 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-901"
id=65308 trace_id=138 func=iprope_reverse_dnat_check line=1310 msg="in-[port1], out-[port32], skb_flags-02000000, vid-0"
id=65308 trace_id=138 func=iprope_reverse_dnat_tree_check line=926 msg="len=3"
id=65308 trace_id=138 func=__iprope_check_one_reverse_dnat_policy line=1253 msg="checking gnum-100002 policy-4294967295"
id=65308 trace_id=138 func=__iprope_check_one_reverse_dnat_policy line=1253 msg="checking gnum-100002 policy-4294967295"
id=65308 trace_id=138 func=__iprope_check_one_reverse_dnat_policy line=1253 msg="checking gnum-100002 policy-4294967295"
id=65308 trace_id=138 func=fw_forward_handler line=990 msg="Allowed by Policy-901: SNAT"
id=65308 trace_id=138 func=__ip_session_run_tuple line=3389 msg="SNAT 10.14.2.109->10.56.246.54:64504"
id=65308 trace_id=138 func=__ip_session_run_tuple line=3443 msg="run helper-dns-udp(dir=original)" >> this shows that DNS session helper is processing the traffic
The Session list is also shown as follows:
session info: proto=17 proto_state=01 duration=61 expire=118 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dns-udp vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=57/1/1 reply=318/1/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=15->46/46->15 gwy=10.56.247.254/10.14.2.109
hook=post dir=org act=snat 10.14.2.109:51628->10.56.10.10:53(10.56.246.54:51628)
hook=pre dir=reply act=dnat 10.56.10.10:53->10.56.246.54:51628(10.14.2.109:51628)
misc=0 policy_id=901 pol_uuid_idx=27163 auth_info=0 chk_client_info=0 vd=1
serial=01610ad8 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04
This highlighted row shows that traffic is not offloaded.
Session helper traffic is not offloaded to the NPU/SPU processor:
diagnose sys session list and no_ofld_reason field (NP7 session information)
It is possible to disable session helper as mentioned in:
Technical Tip: Enable and disable FortiGate system session helpers
Note:
Even if the session helper for DNS is deleted, traffic will still not be offloaded. This is because a DNS query is usually just two packets, the outbound query and the inbound reply. These are not enough packets to enter fastpath.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.