FortiGuard DNS issue

ChiefSec_Fortinet · ‎07-10-2023

Recently ran into an issue where the Fortigate was providing incorrect IP addresses for requests to Microsoft domains. This led to certificate errors in outlook and browser connections to portal.azure.com.

There appears to be some Reddit evidence of other users also seeing this issue:

https://www.reddit.com/r/fortinet/comments/yuu50t/dns_issues_while_using_fortinet_dns_servers/

Looks like the same IP that we saw (93.174.121.39) and Certificate (SubName = gaia.iphost.gr)

As a work-around you can change your FW DNS settings to point to a 3rd party DNS provider, but curious if other people are seeing this and/or how to keep it from happening while using FortiGuard services for DNS. (I believe this is a requirement to leverage DNS filtering)

kgeorge · ‎07-10-2023

Hello,

Good day to you.

Please be advised that, our FortiGuard anycast DNS servers are cache-only DNS servers. They will query upstream authoritative name servers.

One possible reason is that for a short period, some external authoritative name servers in Europe region somehow did not return correct DNS records.

This is purely related to Microsoft resolving to incorrect IP and it is mostly a temporary issue.

Regards,

Klint George

Regards,
Klint George

mikes1979 · ‎07-13-2023

This is, in my opinion, a poor response by Fortinet. It leans to a "not our fault" attitude, with a side helping of "not a big deal, after all it's 'mostly a temporary issue'", and a dash of "one possible reason" and "somehow", which is unacceptable. A proper response should contain exactly how it happened and what is being done to prevent such an incident again.

travuselm · ‎07-15-2023

As discussed this DNS issue is related to the Bug ID 0898560 - Internal BUG @ Fortinet

We have an open ticket with Fortinet waiting for a ETA on fix and the Root cause analysis (RCA)

Gnester · ‎07-11-2023

We fought this all day yesterday. We're seeing this in about 25% of our Fortigates in the field, but nowhere else outside of Fortigate protected environments. Changing DNS in the Fortigate seemed to help, but was still not 100%.

Hours with Microsoft have relayed this back to ISP issues, from their perspective.

With a packet capture we were able to see the issue lies with DNS queries that go through o365filtering.com/azure-dns.info and azure-dns.org specifically. DNS queries outside those name servers were fine.

If this continues, I'll simply start blocking DNS traffic to *.azure-dns.* as a next step.

SupportKrg · ‎07-11-2023

Just came here to say we had the same issue on many of our FortiGates as well. Glad it's only DNS, was thinking this was much worst than FortiGates upstream DNS. Still should not happen.

FortiNooby · ‎07-12-2023

Has anyone had any success with this yet? I've tried some of the suggestions but am still having random issues. Mainly internal sites that use AzureAD for SSO. I tried a DNS filter to block *.azure-dns* like @Gnester suggested, but that just throws up a red screen saying it's been blocked. Perhaps I didn't do something correctly.

mikes1979 · ‎07-13-2023

In my case the FortiGuard DNS feature did not respect my switching DNS from Fortinet to public DNS in the firewall. The only way I could completely solve the issue was to set my internal DNS servers to forward to public DNS and completely remove Fortigate from the equation.

SupportKrg · ‎07-12-2023

We rolled external public DNS and so far so good on our side.

travuselm · ‎07-12-2023

DNS issue is related to the Bug ID 0898560
This issue is from the upstream DNS provider and Fortiguard is effected by this.