Created on ‎12-12-2023 10:06 PM Edited on ‎01-23-2025 07:33 AM By Jean-Philippe_P
Description
This article provides commands to help understand if traffic is processed by the DNS session helper.
Scope
FortiGate.
Solution
DNS session helper is a built-in feature that helps improve the performance and security of DNS traffic. It acts as a proxy between the clients and external DNS servers.
Topology: Client 10.14.2.109 --- (10.14.2.54 port1) FortiGate (port32 10.56.246.54) -- DNS server 10.56.10.10.
Traffic from the DNS session helper is shown as follows (this is the debug flow output):
id=65308 trace_id=138 func=print_pkt_detail line=5795 msg="vd-CONNECT:0 received a packet(proto=17, 10.14.2.109:64504->10.56.10.10:53) tun_id=0.0.0.0 from port1. "
id=65308 trace_id=138 func=init_ip_session_common line=5980 msg="allocate a new session-01610aca, tun_id=0.0.0.0"
id=65308 trace_id=138 func=iprope_dnat_check line=5297 msg="in-[port1], out-[]"
id=65308 trace_id=138 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=138 func=iprope_dnat_check line=5309 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=138 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.56.247.254 via port32"
id=65308 trace_id=138 func=iprope_fwd_check line=792 msg="in-[port1], out-[port32], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=138 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=38, len=4"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-901, ret-matched, act-accept"
id=65308 trace_id=138 func=__iprope_user_identity_check line=1825 msg="ret-matched"
id=65308 trace_id=138 func=__iprope_check line=2299 msg="gnum-4e25, check-ffffffffa002ee40"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e25 policy-14, ret-no-match, act-accept"
id=65308 trace_id=138 func=__iprope_check line=2316 msg="gnum-4e25 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=138 func=get_new_addr line=1231 msg="find SNAT: IP-10.56.246.54(from IPPOOL), port-64504"
id=65308 trace_id=138 func=__iprope_check_one_policy line=2269 msg="policy-901 is matched, act-accept"
id=65308 trace_id=138 func=iprope_fwd_check line=829 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-901"
id=65308 trace_id=138 func=iprope_fwd_auth_check line=848 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-901"
id=65308 trace_id=138 func=iprope_reverse_dnat_check line=1310 msg="in-[port1], out-[port32], skb_flags-02000000, vid-0"
id=65308 trace_id=138 func=iprope_reverse_dnat_tree_check line=926 msg="len=3"
id=65308 trace_id=138 func=__iprope_check_one_reverse_dnat_policy line=1253 msg="checking gnum-100002 policy-4294967295"
id=65308 trace_id=138 func=__iprope_check_one_reverse_dnat_policy line=1253 msg="checking gnum-100002 policy-4294967295"
id=65308 trace_id=138 func=__iprope_check_one_reverse_dnat_policy line=1253 msg="checking gnum-100002 policy-4294967295"
id=65308 trace_id=138 func=fw_forward_handler line=990 msg="Allowed by Policy-901: SNAT"
id=65308 trace_id=138 func=__ip_session_run_tuple line=3389 msg="SNAT 10.14.2.109->10.56.246.54:64504"
id=65308 trace_id=138 func=__ip_session_run_tuple line=3443 msg="run helper-dns-udp(dir=original)" >> this shows that DNS session helper is processing the traffic
The Session list is also shown as follows:
session info: proto=17 proto_state=01 duration=61 expire=118 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dns-udp vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=57/1/1 reply=318/1/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=15->46/46->15 gwy=10.56.247.254/10.14.2.109
hook=post dir=org act=snat 10.14.2.109:51628->10.56.10.10:53(10.56.246.54:51628)
hook=pre dir=reply act=dnat 10.56.10.10:53->10.56.246.54:51628(10.14.2.109:51628)
misc=0 policy_id=901 pol_uuid_idx=27163 auth_info=0 chk_client_info=0 vd=1
serial=01610ad8 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04
This highlighted row shows that traffic is not offloaded.
Session helper traffic is not offloaded to the NPU/SPU processor, all traffic is processed by the CPU:
diagnose sys session list and no_ofld_reason field (NP7 session information)
It is possible to disable session helper as mentioned in:
Technical Tip: Enable and disable FortiGate system session helpers
Note:
Even if the session helper for DNS is deleted, traffic will still not be offloaded. This is because a DNS query is usually just two packets, the outbound query and the inbound reply. These are not enough packets to enter fastpath.