Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎08-21-2024 10:45 AM Edited on ‎05-26-2025 09:43 PM By Community Manager

Article Id 335229

Troubleshooting Tip: Verifying and troubleshooting FortiGate as a DNS server with the Forward-only option

Description This article describes how to verify and troubleshoot FortiGate as a DNS server with the forward-only option.
Scope FortiGate.
Solution

It is possible to host the DNS service on the FortiGate with the Forward to System DNS options. Here, FortiGate will receive the DNS query and forward the DNS query to the FortiGate system DNS. When the DNS response is received, FortiGate will apply the DNS filter and take appropriate action.

 

Follow the instructions below to validate FortiGate as a DNS server service and dnsfilter configuration.

 

  1. Verify the DNS servers configured in the FortiGate:

     

config system dns

set primary 8.8.8.8

set secondary 4.2.2.2

end

 

 

  1. Verify the DNS server latency. If there is high latency, it may impact the time taken to resolve domain names in the end client machines.

 

diagnose test application dnsproxy


worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=4.2.2.2 latency=10 updated=5343 <<<<<<<<
vfid=0 server=8.8.8.8 latency=1 updated=5341
SDNS latency info:
DNS_CACHE: alloc=11, hit=584
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=0
DNS UDP: req=5094 res=5058 fwd=4513 cmp=25 retrans=39 to=0
cur=77 switched=10143236 num_switched=44
v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0, to=0

DNS TCP connections:

DNS UNIX streams: cfd=35
FQDN: alloc=7 nl_write_cnt=2712 nl_send_cnt=2857 nl_cur_cnt=0
Botnet: searched=0 hit=0

 

  1. Make sure the DNS traffic ingressing interface is configured under dns-server.

 

show full system dns-server | grep -n <interface name>

 

Example:

 

show full system dns-server | grep -n port3

2: edit "port3"

 

 

  1. The DNS IP set on the end client machines should be part of the FortiGate interface IP. It can be a secondary IP as well.

diagnose ip address list
IP=172.29.18.91->172.29.18.91/255.255.192.0 index=5 devname=port3
IP=172.30.18.91->172.30.18.91/255.255.192.0 index=6 devname=port4

 

  1. If the DNS traffic is ingressing on a different interface of the FortiGate and the incoming DNS traffic destination IP belongs to a different interface, then there should be a policy for these interfaces.

 

# id=20085 trace_id=11 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=17, 172.29.18.93:57938->172.30.18.91:53) tun_id=0.0.0.0 from port3 "
id=20085 trace_id=11 func=init_ip_session_common line=6118 msg="allocate a new session-0f560f94, tun_id=0.0.0.0"
id=20085 trace_id=11 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-172.30.18.91 via root"
id=20085 trace_id=11 func=fw_local_in_handler line=506 msg="iprope_in_check() check failed on policy 0, drop"

 

If the policy exists, see the flow filter logs as below.

 

config firewall policy

edit 1

set name "dns"
set uuid 3b2eebb6-5fd0-51ef-e636-6e10eadad162
set srcintf "port3" "port4"
set dstintf "port3" "port4"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"

next

end

 

# id=65308 trace_id=1 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=17, 172.29.18.93:64526->172.30.18.91:53) tun_id=0.0.0.0 from port3. "
id=65308 trace_id=1 func=init_ip_session_common line=6073 msg="allocate a new session-00462636"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=1 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=1 func=ip_session_confirm_final line=3111 msg="npu_state=0x0, hook=1"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3498 msg="run helper-dns-udp(dir=original)"

 

  1. If the above points are accurate, enable the following debugs and capture the live logs at the time of the issue. Open two sessions to capture the DNS traffic and debug simultaneously:

 

  • PuTTY1:

 

diagnose sniffer packet any "(host <client pc ip> and port 53) or (host <fortigate primary dns ip> or ((host <fortigate secondary dns ip>) and port 53)" 6 0 l

 

  • PuTTY2:

 

diagnose debug reset
diagnose debug console timestamp en
diagnose debug application dnsproxy -1
diagnose debug enable

 

After running the command, initiate the nslookup or DNS probe from the client IP. Run the following commands to stop the debug:

 

diagnose debug disable

diagnose debug reset

Create a FortiCare Support Ticket for further assistance. Include all the information collected in steps 1 to 5, along with PuTTY session output when creating the ticket.
2183
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.