Troubleshooting Tip: How to verify the FDQN IP address in DNS cache

nithincs · ‎08-03-2021

Description

This article describes how to verify the resolved and unresolved FQDN entries in the FortiGate DNS cache.

Solution

The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses configured.

To verify the FQDN addresses and their resolved IPs from CLI, use the below command:

dia firewall fqdn list

For v7.0 and later:

diagnose firewall fqdn list-ip

Output:

aegon-kvm39 # dia firewall fqdn list
List all FQDN:
login.microsoftonline.com: ID(15) ADDR(20.190.175.0) ADDR(40.126.38.16) ADDR(40.126.47.17) ADDR(40.126.38.18) ADDR(40.126.47.18) ADDR(20.190.175.19) ADDR(40.126.38.20) ADDR(20.190.175.20) ADDR(20.190.175.21) ADDR(40.126.47.22) ADDR(20.190.175.22) ADDR(40.126.38.23) ADDR(40.126.38.65) ADDR(20.190.166.65) ADDR(20.190.166.66) ADDR(40.126.38.128) ADDR(20.190.166.129) ADDR(20.190.166.130)
*.google.com: ID(66) ADDR(142.250.194.2) ADDR(142.250.195.8) ADDR(172.217.166.194) ADDR(216.58.196.196)
gmail.com: ID(119) ADDR(74.125.203.17) ADDR(74.125.203.18) ADDR(74.125.203.19) ADDR(74.125.203.83) ADDR(172.217.166.197)
login.microsoft.com: ID(138) ADDR(40.126.13.8) ADDR(40.126.13.9) ADDR(20.190.141.32) ADDR(20.190.141.33) ADDR(20.190.141.34) ADDR(20.190.141.35) ADDR(20.190.141.37) ADDR(20.190.141.38) ADDR(40.126.17.131) ADDR(40.126.17.132) ADDR(40.126.17.133) ADDR(40.126.17.134) ADDR(20.190.145.140) ADDR(20.190.145.141) ADDR(20.190.145.142) ADDR(20.190.145.160)
*.dropbox.com: ID(195)
login.windows.net: ID(199) ADDR(40.126.17.131) ADDR(40.126.17.132) ADDR(40.126.17.133) ADDR(40.126.17.134) ADDR(20.190.145.140) ADDR(20.190.145.141) ADDR(20.190.145.142) ADDR(20.190.145.160)

To filter specific FQDN addresses for the list, it is possible to use grep as shown by the below example:

aegon-kvm39 # dia firewall fqdn list | grep -A3 “gmail.com” <----- Prints next 3 lines of trailing context.

gmail.com: ID(119) ADDR(74.125.203.17) ADDR(74.125.203.18) ADDR(74.125.203.19) ADDR(74.125.203.83) ADDR(172.217.166.197)
login.microsoft.com: ID(138) ADDR(20.190.175.0) ADDR(40.126.47.17) ADDR(40.126.47.18) ADDR(40.126.47.19) ADDR(20.190.175.19) ADDR(20.190.175.20) ADDR(20.190.175.21) ADDR(20.190.175.23)
*.dropbox.com: ID(195)
login.windows.net: ID(199) ADDR(40.126.13.8) ADDR(40.126.13.9) ADDR(20.190.141.32) ADDR(20.190.141.33) ADDR(20.190.141.34) ADDR(20.190.141.36) ADDR(20.190.141.38) ADDR(20.190.141.39)

To know the TTL of the FQDN address, use the below command:

dia test application dnsproxy 6

aegon-kvm39 # dia test application dnsproxy 6
worker idx: 0
vfid=0 name=login.windows.net ver=IPv4 timer running, min_ttl=69:35, cache_ttl=0 , slot=-1, num=16, wildcard=0
         40.126.38.128 (ttl=74:41:41) 40.126.38.18 (ttl=74:41:41) 20.190.166.66 (ttl=74:41:41) 40.126.38.20 (ttl=74:41:41) 20.190.166.65 (ttl=74:41:41)
         20.190.166.129 (ttl=74:41:41) 20.190.166.130 (ttl=74:41:41) 40.126.38.23 (ttl=74:41:41) 40.126.47.19 (ttl=273:245:245) 20.190.175.21 (ttl=273:245:245) 20.190.175.19 (ttl=273:245:245)
         20.190.175.22 (ttl=273:245:245) 20.190.175.23 (ttl=273:245:245) 40.126.47.18 (ttl=273:245:245) 40.126.47.17 (ttl=273:245:245) 20.190.175.0 (ttl=273:245:245)

40.126.38.128 (ttl=74:41:41)                                   <----- 74 is the actual TTL of the resolved IP and 41 expiration time in seconds.