FG can't resolve any hostnames - Clients working fine

FGNoobUser1 · ‎05-26-2022

Hi,

a few days before, we made the Update 6.4.8 to 6.4.9. After this, the FG can't resolve any Hostnames.

Ping with FQDN on FG CLI says "unable to resolve hostname". All rules that use FQDN doesn't work anymore. If I ping the IP-Address the FG is working fine. He also can ping the DNS. We didn't change any other configuration on the FG.

Only thing I did after Update was this, cause I couldn't reach the GUI: "set admin-server-cert Fortinet_Factory"

FG has configured the same DNS like every client in the network and all clients working fine!

It is a FG100F. There is nothing special configured: In DNS-Settings there is only our DNS-Server / DC set with it's IP. I don't know what to do anymore. I tried to contact the support but for every answer they take about 2 days. I hope the FG community can help a little faster.

AEK · ‎05-27-2022

Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK

View solution in original post

AEK · ‎05-26-2022

Hello,

Please share output of:

show system dns

execute ping <DNS-SERVER-IP>

execute ping <somehost>

execute ping <somehost.yourdomain.xyz>

AEK

FGNoobUser1 · ‎05-26-2022

chethan · ‎05-26-2022

Hi @FGNoobUser1 ,

In DNS settings, check by only enabling clear text DNS over (UDP/53) port. This will resolve the issue most probably.

Have you configured SD-WAN? If yes have you set up the sd-wan rules properly?

Create a new rule to send only the DNS traffic through your best ISP link.

You can also configure what interface must be used for DNS via CLI:

#config sys dns

#set interface-select-method specify

#set interface {interface-name}

Please reply if this doesn't help you out.

Thank you

Chethan
NSE 4

FGNoobUser1 · ‎05-26-2022

Still the same Problem (sorry, i tried some commands)

with clear text dns you mean no-ssl and no-https dns? it's deactivated

FGNoobUser1 · ‎05-27-2022

How can i delete the interface name for dns? as it doesn't work, i would like to configure it like it was.

chethan · ‎05-28-2022

Hi,

You can set the interface select method to auto.

Chethan
NSE 4

AEK · ‎05-26-2022

Now please try:

diag siffer packet any 'host x.y.5.1 and port 53'

Run the same on your dns server x.y.5.1 on port 53, e.g. if the server is linux, then run something like that:

tcpdump -n -i any port 53

On Windows use Wireshark on port 53 TCP/UDP

An on a second FGT CLI window, run ping somehost.yourdomain.local

Then share the sniffer & tcpdump logs from both sides.

AEK

nageentaj · ‎05-27-2022

Hi,

As per the packet flow, the Fortigate will query the DNS server which is configured in the network settings, The DNS query need to be sent to the specifc DNS server and the DNS server should provide the DNS response with the mapped ip address to the google.com.
step1) you can take the packet capture at the fortigate level to check if the DNS query is being sent or not.

#diag sniffer packet any 'host a.b.c.d and port 53' 6 0 a where a.b.c.d is the DNS server ipaddress.

FGNoobUser1 · ‎05-27-2022

FG can't resolve any hostnames - Clients working fine

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website