Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FGNoobUser1
New Contributor II

Created on ‎05-26-2022 12:04 PM

FG can't resolve any hostnames - Clients working fine

Hi,

a few days before, we made the Update 6.4.8 to 6.4.9. After this, the FG can't resolve any Hostnames.

Ping with FQDN on FG CLI says "unable to resolve hostname". All rules that use FQDN doesn't work anymore. If I ping the IP-Address the FG is working fine. He also can ping the DNS. We didn't change any other configuration on the FG.

Only thing I did after Update was this, cause I couldn't reach the GUI: "set admin-server-cert Fortinet_Factory"

FG has configured the same DNS like every client in the network and all clients working fine!

It is a FG100F. There is nothing special configured: In DNS-Settings there is only our DNS-Server / DC set with it's IP. I don't know what to do anymore. I tried to contact the support but for every answer they take about 2 days. I hope the FG community can help a little faster.

Labels:
19783
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to FGNoobUser1

Created on ‎05-27-2022 07:20 AM Edited on ‎05-28-2022 03:44 PM

Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK

View solution in original post

AEK
19557
0 Kudos
21 REPLIES 21
FGNoobUser1
New Contributor II

Created on ‎05-27-2022 01:38 AM

Maybe I got something: as I wrote in my first post, I needed to execute ""set admin-server-cert Fortinet_Factory". When i use "get" on dns configuration, there is set "ssl_certifate : Fortinet_Factory". Is it possible that this is the reason? Can I delete this without losing the connection to GUI?

 

FGNoobUser1_1-1653640652227.png

 

 

5724
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-27-2022 01:39 AM

Hi FGN user

On Wireshark don't apply filter "ip.src=x.y.5.254", because it doesn't let us see the replies from your DNS server. Instead apply filter just for DNS packets (port 53 TCP/UDP).

On the other hand there is a trick here, as your FGT NATs the clients' requests, we cannot see if the request is coming from FGT or other clients

AEK
AEK
5731
0 Kudos
FGNoobUser1
New Contributor II
In response to AEK

Created on ‎05-27-2022 05:27 AM

Hey, thx for your answer.

I checked every rule. None of the rules that connects to the DC/DNS having NAT configured. So every request coming from X.Y.5.254 should be the FG. (the FG is using this address in the network of our DC/DNS, cause the DC/DNS has it's own net/vlan/dmz).

Or am I wrong?

5713
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-27-2022 02:23 AM

Don't worry with certificate since the last output shows you are not using DNS over SSL.

On the other hand, as I said before, the fact that you use NAT doesn't help the troubleshooting. So can you explain why are you using NAT inside your company from clients to DNS server? Is it possible to disable it temporarily just for the troubleshooting? If so then disable it and redo the test and share both Wireshark & diag sniffer traces.

 

AEK
AEK
5724
0 Kudos
FGNoobUser1
New Contributor II
In response to AEK

Created on ‎05-27-2022 05:36 AM

As I wrote in the post before, connections to the DNS doesn't use NAT, so they all should use their originally IP. The strange thing is, the FG uses our DNS for every external address but I can't find any requests for internal hosts. I can only find these SOA and AXFR with our Domain:

FGNoobUser1_0-1653654997645.png

 

5713
0 Kudos
FGNoobUser1
New Contributor II
In response to FGNoobUser1

Created on ‎05-27-2022 05:50 AM

There are some strange entries with "refused AXFR" and the entry above with "SOA.... local". There is the Hostname of our DC/DNS and the .local is our domain, but i don't know what he's doing there.

FGNoobUser1_0-1653655840335.png

 

5709
0 Kudos
FGNoobUser1
New Contributor II
In response to FGNoobUser1

Created on ‎05-27-2022 06:11 AM

i also changed ip.dest to ip.src but there is no difference. just external addresses

 

5707
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-27-2022 06:48 AM Edited on ‎05-27-2022 06:51 AM

That means your FGT is trying to get a copy of DNS zone from your DNS server, and DNS server is refusing. So it seems your FGT is configured as DNS server right? So probably your FGT is just sending his DNS queries (of your local domain) to himself.

To confirm check the output of:

show system dns-server

show system dns-database

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK
AEK
5700
0 Kudos
FGNoobUser1
New Contributor II
In response to AEK

Created on ‎05-27-2022 07:10 AM

FGNoobUser1_0-1653660368944.pngFGNoobUser1_1-1653660640339.png

 

5691
0 Kudos
AEK
SuperUser
SuperUser
In response to FGNoobUser1

Created on ‎05-27-2022 07:20 AM Edited on ‎05-28-2022 03:44 PM

Yes it is a slave DNS server and the server doesn't allow it to fetch the zone.

 

So in case you want your FGT to be a slave DNS server for your local domain then just allow it to fetch the DNS zone on your primary DNS server. Otherwise just unconfigure it as secondary DNS server.

AEK
AEK
19558
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.