Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

DNS Resolving from internal DNS Server over FGT to sub DNS_Server

Hello all,

 

have a very urgent problem.
On the FGT I can resolve DNS names (e.g. mx.dom.com) that I have configured via an external DNS server.
On the internal network we use MS-DNS and there I have entered the FGT as forwarder.
When I try to resolve mx.dom.com from an internal system, it does not work (domain not found).
In MS-DNS Event, I see: The DNS server encountered an invalid domain name in a packet from 192.168.30.9. The packet will be rejected. The event data contains the DNS packet.
192.168.30.9 is the FGT.
Under Network/DNS Server, I have entered the internal port and the port of the external -DNS, optionally Recursive and Forward to System DNS.
In the DNS Database, I have entered the domain mx.dom.com and through which DNS servers I can reach it.

What am I doing wrong?

Thanks in advance

 

TheBob

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello Bob,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
tthrilok
Staff
Staff

Hi Bob,

 

I understand you are not able to resolve the domain name when you set DNS forwarder on the MS server to firewall.  You have set the firewall as DNS recursive, but it is still not working.

 

In the DNS Database, I have entered the domain mx.dom.com and through which DNS servers I can reach it.

What am I doing wrong? <<<<<<<<<<<< Could you clarify again, if you are giving the domain IP in the database of server IP which resolves the IP to the domain.

 

We would recommend to remove the database entry, and run the below debugs:

 

di de reset

di de app dnsproxy -1
di de en


Please do the query to your domain, once you see the error, please stop the debug using:

 

di de di

di de reset

 

Please also share the output of the command:

 

dia test application dnsproxy 7

 

Thank you!

TBC
Contributor

Hello tthrilok,

many thanks for replay!

Now it works, but it takes some hour, maybe it was a dns-timer.

But I have still the error messages on Domain Controller, "The DNS server encountered an invalid domain name in a packet from 192.168.30.9. The packet will be rejected. The event data contains the DNS packet."

 

I have now from FGT to intern DC in a Recursive Mode and for the other interface using the external DNS-Server Forward to System DNS.

On DNS-Database I have for the external System the IP of external DNS and for internal DNS our DC-DNS Server.

It's working now, but didn't know how to solve the error message.

 

Many thanks for helping!

Bob

 

Labels
Top Kudoed Authors