Recently ran into an issue where the Fortigate was providing incorrect IP addresses for requests to Microsoft domains. This led to certificate errors in outlook and browser connections to portal.azure.com.
There appears to be some Reddit evidence of other users also seeing this issue:
https://www.reddit.com/r/fortinet/comments/yuu50t/dns_issues_while_using_fortinet_dns_servers/
Looks like the same IP that we saw (93.174.121.39) and Certificate (SubName = gaia.iphost.gr)
As a work-around you can change your FW DNS settings to point to a 3rd party DNS provider, but curious if other people are seeing this and/or how to keep it from happening while using FortiGuard services for DNS. (I believe this is a requirement to leverage DNS filtering)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Good day to you.
Please be advised that, our FortiGuard anycast DNS servers are cache-only DNS servers. They will query upstream authoritative name servers.
One possible reason is that for a short period, some external authoritative name servers in Europe region somehow did not return correct DNS records.
This is purely related to Microsoft resolving to incorrect IP and it is mostly a temporary issue.
Regards,
Klint George
This is, in my opinion, a poor response by Fortinet. It leans to a "not our fault" attitude, with a side helping of "not a big deal, after all it's 'mostly a temporary issue'", and a dash of "one possible reason" and "somehow", which is unacceptable. A proper response should contain exactly how it happened and what is being done to prevent such an incident again.
As discussed this DNS issue is related to the Bug ID 0898560 - Internal BUG @ Fortinet
We have an open ticket with Fortinet waiting for a ETA on fix and the Root cause analysis (RCA)
We fought this all day yesterday. We're seeing this in about 25% of our Fortigates in the field, but nowhere else outside of Fortigate protected environments. Changing DNS in the Fortigate seemed to help, but was still not 100%.
Hours with Microsoft have relayed this back to ISP issues, from their perspective.
With a packet capture we were able to see the issue lies with DNS queries that go through o365filtering.com/azure-dns.info and azure-dns.org specifically. DNS queries outside those name servers were fine.
If this continues, I'll simply start blocking DNS traffic to *.azure-dns.* as a next step.
Just came here to say we had the same issue on many of our FortiGates as well. Glad it's only DNS, was thinking this was much worst than FortiGates upstream DNS. Still should not happen.
Has anyone had any success with this yet? I've tried some of the suggestions but am still having random issues. Mainly internal sites that use AzureAD for SSO. I tried a DNS filter to block *.azure-dns* like @Gnester suggested, but that just throws up a red screen saying it's been blocked. Perhaps I didn't do something correctly.
In my case the FortiGuard DNS feature did not respect my switching DNS from Fortinet to public DNS in the firewall. The only way I could completely solve the issue was to set my internal DNS servers to forward to public DNS and completely remove Fortigate from the equation.
We rolled external public DNS and so far so good on our side.
DNS issue is related to the Bug ID 0898560
This issue is from the upstream DNS provider and Fortiguard is effected by this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.