Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PaoloMitre
New Contributor

FQDN resolution and dns cache

Hi everybody, I' ve had a problem with FQDN resolution in a FG 1000A. A policy didn' t work fine as the source address, specified by a FQDN, wasn' t resolved. I executed the diagnose command " diag test application dnsproxy 6" , that dumps the DNS proxy cache. I couldn' t see in the list the FQDN and its resolved IP. Then I executed the command " diag test application dnsproxy 4" that deletes and re-creates all FQDN addresses. After that, executing again the command " diag test application dnsproxy 6" , I could see the FQDN address and the resolved IP. Could anyone explain me what happened? Could it be a cache problem? Does anyone know as the fortigate dns cache works? Thanks! Paolo Boaretto
10 REPLIES 10
PaoloMitre
New Contributor

Any reply???
rwpatterson
Valued Contributor III

My only thought would be maybe that the address is dynamic and the 1000A didn' t pick it up the first time through.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
PaoloMitre
New Contributor

There are no dynamic addresses. I' d like to know if the fortigate has a cache and if yes how it works.
FortiRack_Eric
New Contributor III

FQDN' s are resolved on time of creation and translated into an internal (kernal) ip rule. FQDN' s are resolved again, based on the DNS ttl of the A-record and again re-translated into an internal ip-based rule. Hope this clarifies it. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
PaoloMitre
New Contributor

Eric, thanks a lot! Now I can say the problem is due to the DNS server.
PaoloMitre

I' ve a last question: the FortiOS diagnose command " diag test application dnsproxy 6" dumps the proxy cache. Here you have one line of the output: 2010-10-06 12:42:12 vfid=0 name=ENWS02181636.xxx.xxx: timer running, min_ttl=1200:335, cache_ttl=0 , slot=-1, num=1 2010-10-06 12:42:12 2010-10-06 12:42:12 10.139.246.99 (ttl=1200:341:341)2010-10-06 12:42:12 Could someone explain me what are the values I must consider? cache_ttl? min_ttl?does cache_ttl = 0 means an infinite ttl? Thanks
PaoloMitre
New Contributor

Any reply? Doesn' t exist a good guide about these diagnose commands?
PaoloMitre
New Contributor

No reply
billp
Contributor

The " diag" commands are officially undocumented, I believe. The only docs are internal to FTN or on the KB online. You' d have to submit a support ticket to see if you can get add' l information or recommendations, unfortunately.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors