Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FGNoobUser1
New Contributor II

FG can't resolve any hostnames - Clients working fine

Hi,

a few days before, we made the Update 6.4.8 to 6.4.9. After this, the FG can't resolve any Hostnames.

Ping with FQDN on FG CLI says "unable to resolve hostname". All rules that use FQDN doesn't work anymore. If I ping the IP-Address the FG is working fine. He also can ping the DNS. We didn't change any other configuration on the FG.

Only thing I did after Update was this, cause I couldn't reach the GUI: "set admin-server-cert Fortinet_Factory"

FG has configured the same DNS like every client in the network and all clients working fine!

It is a FG100F. There is nothing special configured: In DNS-Settings there is only our DNS-Server / DC set with it's IP. I don't know what to do anymore. I tried to contact the support but for every answer they take about 2 days. I hope the FG community can help a little faster.

1 Solution
AEK

Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK

View solution in original post

AEK
21 REPLIES 21
AEK
SuperUser
SuperUser

Hello,

Please share output of:

    show system dns

    execute ping <DNS-SERVER-IP>

    execute ping <somehost>

    execute ping <somehost.yourdomain.xyz>

 

AEK
AEK
FGNoobUser1
New Contributor II

FGNoobUser1_0-1653628929014.png

 

chethan
Contributor

Hi @FGNoobUser1 ,

 

In DNS settings, check by only enabling clear text DNS over (UDP/53) port. This will resolve the issue most probably.

 

Have you configured SD-WAN? If yes have you set up the sd-wan rules properly? 

Create a new rule to send only the DNS traffic through your best ISP link.

 

You can also configure what interface must be used for DNS via CLI:

#config sys dns

#set interface-select-method specify

#set interface {interface-name}

 

Please reply if this doesn't help you out.

 

Thank you

 

 

Chethan
NSE 4
ChethanNSE 4
FGNoobUser1
New Contributor II

Still the same Problem (sorry, i tried some commands)

with clear text dns you mean no-ssl and no-https dns? it's deactivated

 

FGNoobUser1_0-1653634211320.png

 

FGNoobUser1
New Contributor II

How can i delete the interface name for dns? as it doesn't work, i would like to configure it like it was.

 

chethan

Hi,

 

You can set the interface select method to auto.

Chethan
NSE 4
ChethanNSE 4
AEK
SuperUser
SuperUser

Now please try:

diag siffer packet any 'host x.y.5.1 and port 53'

Run the same on your dns server x.y.5.1 on port 53, e.g. if the server is linux, then run something like that:

tcpdump -n -i any port 53

On Windows use Wireshark on port 53 TCP/UDP

 

An on a second FGT CLI window, run ping somehost.yourdomain.local

Then share the sniffer & tcpdump logs from both sides.

AEK
AEK
nageentaj
Staff
Staff

Hi,

As per the packet flow, the Fortigate will query the DNS server which is configured in the network settings, The DNS query need to be sent to the specifc DNS server and the DNS server should provide the DNS response with the mapped ip address to the google.com.
step1) you can take the packet capture at the fortigate level to check if the DNS query is being sent or not.

#diag sniffer packet any 'host a.b.c.d  and port 53' 6 0 a  where a.b.c.d is the DNS server ipaddress.

FGNoobUser1
New Contributor II

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors