Hi,
a few days before, we made the Update 6.4.8 to 6.4.9. After this, the FG can't resolve any Hostnames.
Ping with FQDN on FG CLI says "unable to resolve hostname". All rules that use FQDN doesn't work anymore. If I ping the IP-Address the FG is working fine. He also can ping the DNS. We didn't change any other configuration on the FG.
Only thing I did after Update was this, cause I couldn't reach the GUI: "set admin-server-cert Fortinet_Factory"
FG has configured the same DNS like every client in the network and all clients working fine!
It is a FG100F. There is nothing special configured: In DNS-Settings there is only our DNS-Server / DC set with it's IP. I don't know what to do anymore. I tried to contact the support but for every answer they take about 2 days. I hope the FG community can help a little faster.
Solved! Go to Solution.
Created on 05-27-2022 07:20 AM Edited on 05-28-2022 03:44 PM
Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.
So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.
Hello,
Please share output of:
show system dns
execute ping <DNS-SERVER-IP>
execute ping <somehost>
execute ping <somehost.yourdomain.xyz>
Hi @FGNoobUser1 ,
In DNS settings, check by only enabling clear text DNS over (UDP/53) port. This will resolve the issue most probably.
Have you configured SD-WAN? If yes have you set up the sd-wan rules properly?
Create a new rule to send only the DNS traffic through your best ISP link.
You can also configure what interface must be used for DNS via CLI:
#config sys dns
#set interface-select-method specify
#set interface {interface-name}
Please reply if this doesn't help you out.
Thank you
Still the same Problem (sorry, i tried some commands)
with clear text dns you mean no-ssl and no-https dns? it's deactivated
How can i delete the interface name for dns? as it doesn't work, i would like to configure it like it was.
Hi,
You can set the interface select method to auto.
Now please try:
diag siffer packet any 'host x.y.5.1 and port 53'
Run the same on your dns server x.y.5.1 on port 53, e.g. if the server is linux, then run something like that:
tcpdump -n -i any port 53
On Windows use Wireshark on port 53 TCP/UDP
An on a second FGT CLI window, run ping somehost.yourdomain.local
Then share the sniffer & tcpdump logs from both sides.
Hi,
As per the packet flow, the Fortigate will query the DNS server which is configured in the network settings, The DNS query need to be sent to the specifc DNS server and the DNS server should provide the DNS response with the mapped ip address to the google.com.
step1) you can take the packet capture at the fortigate level to check if the DNS query is being sent or not.
#diag sniffer packet any 'host a.b.c.d and port 53' 6 0 a where a.b.c.d is the DNS server ipaddress.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.