Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FGNoobUser1
New Contributor II

FG can't resolve any hostnames - Clients working fine

Hi,

a few days before, we made the Update 6.4.8 to 6.4.9. After this, the FG can't resolve any Hostnames.

Ping with FQDN on FG CLI says "unable to resolve hostname". All rules that use FQDN doesn't work anymore. If I ping the IP-Address the FG is working fine. He also can ping the DNS. We didn't change any other configuration on the FG.

Only thing I did after Update was this, cause I couldn't reach the GUI: "set admin-server-cert Fortinet_Factory"

FG has configured the same DNS like every client in the network and all clients working fine!

It is a FG100F. There is nothing special configured: In DNS-Settings there is only our DNS-Server / DC set with it's IP. I don't know what to do anymore. I tried to contact the support but for every answer they take about 2 days. I hope the FG community can help a little faster.

1 Solution
AEK
Honored Contributor

Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK

View solution in original post

AEK
21 REPLIES 21
FGNoobUser1
New Contributor II

Maybe I got something: as I wrote in my first post, I needed to execute ""set admin-server-cert Fortinet_Factory". When i use "get" on dns configuration, there is set "ssl_certifate : Fortinet_Factory". Is it possible that this is the reason? Can I delete this without losing the connection to GUI?

 

FGNoobUser1_1-1653640652227.png

 

 

AEK
Honored Contributor

Hi FGN user

On Wireshark don't apply filter "ip.src=x.y.5.254", because it doesn't let us see the replies from your DNS server. Instead apply filter just for DNS packets (port 53 TCP/UDP).

On the other hand there is a trick here, as your FGT NATs the clients' requests, we cannot see if the request is coming from FGT or other clients

AEK
AEK
FGNoobUser1
New Contributor II

Hey, thx for your answer.

I checked every rule. None of the rules that connects to the DC/DNS having NAT configured. So every request coming from X.Y.5.254 should be the FG. (the FG is using this address in the network of our DC/DNS, cause the DC/DNS has it's own net/vlan/dmz).

Or am I wrong?

AEK
Honored Contributor

Don't worry with certificate since the last output shows you are not using DNS over SSL.

On the other hand, as I said before, the fact that you use NAT doesn't help the troubleshooting. So can you explain why are you using NAT inside your company from clients to DNS server? Is it possible to disable it temporarily just for the troubleshooting? If so then disable it and redo the test and share both Wireshark & diag sniffer traces.

 

AEK
AEK
FGNoobUser1
New Contributor II

As I wrote in the post before, connections to the DNS doesn't use NAT, so they all should use their originally IP. The strange thing is, the FG uses our DNS for every external address but I can't find any requests for internal hosts. I can only find these SOA and AXFR with our Domain:

FGNoobUser1_0-1653654997645.png

 

FGNoobUser1

There are some strange entries with "refused AXFR" and the entry above with "SOA.... local". There is the Hostname of our DC/DNS and the .local is our domain, but i don't know what he's doing there.

FGNoobUser1_0-1653655840335.png

 

FGNoobUser1

i also changed ip.dest to ip.src but there is no difference. just external addresses

 

AEK
Honored Contributor

That means your FGT is trying to get a copy of DNS zone from your DNS server, and DNS server is refusing. So it seems your FGT is configured as DNS server right? So probably your FGT is just sending his DNS queries (of your local domain) to himself.

To confirm check the output of:

show system dns-server

show system dns-database

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK
AEK
FGNoobUser1
New Contributor II

FGNoobUser1_0-1653660368944.pngFGNoobUser1_1-1653660640339.png

 

AEK
Honored Contributor

Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK
AEK
Labels
Top Kudoed Authors