Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TecnetRuss
Contributor

FortiGuard DNS problems: "no available Fortiguard SDNS servers" & "A rating error occurs"

We're noticing this problem across multiple clients this morning.  Any users using Internet access policies with a DNS Filter profile enabled are blocked from accessing the Internet.  The DNS Query logs show constant failures with:

[ul]
  • Error: no available Fortiguard SDNS servers
  • Message: A rating error occurs[/ul]

    The FortiGuard page shows two green "check" status indicators and "diag debug rating" doesn't show any obvious errors.

     

    This is not a config problem.  This has happened simultaneously across multiple FortiGates with known good working configs and no recent config changes.  Changing the FortiGuard protocol and port between UDP and HTTPS, 53, 443 and 8888 doesn't seem to make a difference.  The only solution is to either remove the DNS Filter profile from the policies or set "Allow DNS requests when a rating error occurs" to enabled in the DNS Filter profiles - then traffic starts flowing again.

     

    This seems pretty clearly to be a back-end FortiGuard DNS problem.  Anyone else seeing this?  Any official acknowledgement of any FortiGuard DNS problems?

     

    Russ

    NSE7

  • 5 REPLIES 5
    dpreston
    New Contributor

    We have, same description.

    Temp fix for us was to disengage DNS filter component on the IPv4 policy referenced in the log entry.

     

     

    TecnetRuss

    The problem resolved itself for us at around 12:41 PM Pacific according to my DNS Query logs:

     

    12:41:15 - ERROR- "Message: A rating error occurs" (last error)

    12:41:25 - OK - "Message: Domain belongs to a denied category in policy" (no errors from this point forward)

     

    Russ

    NSE7

    RB4523

    We had the same issue the last few days, the following finally got DNS Filtering working again.

     

    config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 set sdns-server-ip 208.91.112.220 end

     

    Fortigate 6.4.1 

    N4pst3r
    New Contributor

    x3

    Had the same issue on FortigateVM running FortiOS 6.4.1 and on a non administrative vdom, in this case "set source-ip" is needed

     

    config system fortiguard set port 8888 set fortiguard-anycast disable set sdns-server-ip "208.91.112.220" set source-ip 138.118.8.4

    Yurisk
    Valued Contributor

    Just to confirm that solved my case too - browsing slowness due to DNS Filtering high response times. Disabled anycast, this automatically caused additional 4 Fortiguard IPs to appear in the list. 

    The default IP of 172.243.138.221 was showing 450 msec response time in Network -> DNS. After disabling anycast, the best server IP gives just 40 msec!

    Thx for the pointer.

    FGT 200E 6.4.4

     

    Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
    Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
    Labels
    Top Kudoed Authors