Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nicklebon
New Contributor

DNS Database CNAME entries

We are testing DNS on a FGT 201E running FOSv6.0.8 and having issues with incorrect behaviour with CNAME entries.  I am not finding a lot of discussion anywhere on FGT dns which leaves me to believe this is likely not a well used feature. 

 

incorrect response from FGT:

> mail.sample.com

Server: destiny.sample.com Address: xxx.xxx.xxx.1

Name: mail.sample.com

 

Correct response from bind server

> mail.sample.com

Server: matthew.sample.com Address: xxx.xxx.xxx.11

Name: ghs.google.com Addresses: 2xxx:xxxx:xxx4:xxx::2013 xxx.xxx.xxx.xx3 Aliases: mail.sample.com

 

Packet captures show that the FGT is returning the CNAME of ghs.google.com but it is not resolved where bind returns the cname and the IPs.

 

FGT:

Protocol Length Info DNS 79 Standard query 0x0059 A mail.sample.com DNS 104 Standard query response 0x0059 A mail.sample.com CNAME ghs.google.com DNS 79 Standard query 0x005a AAAA mail.sample.com DNS 104 Standard query response 0x005a AAAA mail.sample.com CNAME ghs.google.com

 

Bind:

Protocol Length Info DNS 76 Standard query 0x0066 A mail.sample.com DNS 117 Standard query response 0x0066 A mail.sample.com CNAME ghs.google.com A xxx.xxx.xxx.xx3 DNS 76 Standard query 0x0067 AAAA mail.sample.com DNS 129 Standard query response 0x0067 AAAA mail.sample.com CNAME ghs.google.com AAAA 2xxx:xxxx:xxx4:xxx::2013

 

Any thoughts other than don't use CNAMEs?

 

Thanks

4 REPLIES 4
rwpatterson
Valued Contributor III

I see that they resolve to different IP addresses. Are you sure something wasn't fat-fingered?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Nicklebon

I'm not sure what you're talking about other than perhaps the fact I am using two different name server destiny and matthew/1 and 11/FGT and bind. Nothing has been fat fingered. The FGT is not resolving the cname as it should be as evidenced in the packet capture.

Nicklebon

So no one is using CNAME then? Guess I'll try running this up the official channels then.

Nicklebon

Updating this though it seems no one cares. My most excellent and awesome FortiCrew offered to test this on some 6.2.x fgts in their lab. This made me realize I could test it very quickly with a 6.2.2 box I had on the same network here. Sixty or so seconds later we know CNAME entries work as expected on 6.2.2. Looks like a possible 6.0.8 bug. They are looking into it.

Labels
Top Kudoed Authors