Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FGNoobUser1
New Contributor II

FG can't resolve any hostnames - Clients working fine

Hi,

a few days before, we made the Update 6.4.8 to 6.4.9. After this, the FG can't resolve any Hostnames.

Ping with FQDN on FG CLI says "unable to resolve hostname". All rules that use FQDN doesn't work anymore. If I ping the IP-Address the FG is working fine. He also can ping the DNS. We didn't change any other configuration on the FG.

Only thing I did after Update was this, cause I couldn't reach the GUI: "set admin-server-cert Fortinet_Factory"

FG has configured the same DNS like every client in the network and all clients working fine!

It is a FG100F. There is nothing special configured: In DNS-Settings there is only our DNS-Server / DC set with it's IP. I don't know what to do anymore. I tried to contact the support but for every answer they take about 2 days. I hope the FG community can help a little faster.

1 Solution
AEK

Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

View solution in original post

21 REPLIES 21
AEK
Contributor II

Hello,

Please share output of:

    show system dns

    execute ping <DNS-SERVER-IP>

    execute ping <somehost>

    execute ping <somehost.yourdomain.xyz>

 

FGNoobUser1
New Contributor II

FGNoobUser1_0-1653628929014.png

 

chethan
Contributor

Hi @FGNoobUser1 ,

 

In DNS settings, check by only enabling clear text DNS over (UDP/53) port. This will resolve the issue most probably.

 

Have you configured SD-WAN? If yes have you set up the sd-wan rules properly? 

Create a new rule to send only the DNS traffic through your best ISP link.

 

You can also configure what interface must be used for DNS via CLI:

#config sys dns

#set interface-select-method specify

#set interface {interface-name}

 

Please reply if this doesn't help you out.

 

Thank you

 

 

Chethan
NSE 4
FGNoobUser1
New Contributor II

Still the same Problem (sorry, i tried some commands)

with clear text dns you mean no-ssl and no-https dns? it's deactivated

 

FGNoobUser1_0-1653634211320.png

 

FGNoobUser1
New Contributor II

How can i delete the interface name for dns? as it doesn't work, i would like to configure it like it was.

 

chethan

Hi,

 

You can set the interface select method to auto.

Chethan
NSE 4
AEK
Contributor II

Now please try:

diag siffer packet any 'host x.y.5.1 and port 53'

Run the same on your dns server x.y.5.1 on port 53, e.g. if the server is linux, then run something like that:

tcpdump -n -i any port 53

On Windows use Wireshark on port 53 TCP/UDP

 

An on a second FGT CLI window, run ping somehost.yourdomain.local

Then share the sniffer & tcpdump logs from both sides.

nageentaj
Staff
Staff

Hi,

As per the packet flow, the Fortigate will query the DNS server which is configured in the network settings, The DNS query need to be sent to the specifc DNS server and the DNS server should provide the DNS response with the mapped ip address to the google.com.
step1) you can take the packet capture at the fortigate level to check if the DNS query is being sent or not.

#diag sniffer packet any 'host a.b.c.d  and port 53' 6 0 a  where a.b.c.d is the DNS server ipaddress.

FGNoobUser1
New Contributor II