Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akononov
New Contributor

Fortigate 100D Fortios 5.4.1 Deny: DNS error

Hello!

After upgrade our 100D, in Forward traffic we can see messages:

IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan1

ApplicationNameUnknownCategoryunscannedProtocoludp

ActionActionDeny: DNS error

 

AND

 

IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan2

ApplicationNameUnknownCategoryunscannedProtocoludp

ActionActionDeny: IP connection error
27 REPLIES 27
Akononov
New Contributor

Hi! 

This problem only for me?

kwik
New Contributor

Nope, I've also the same 100D on 5.4.1 and the DNS error.

Loading webpage takes a minutes (do you also have this behaviour?)

 

Did you find a solution ?

 

 

MikePruett
Valued Contributor

Do you have any layer 7 applied to the policy that is letting DNS out?

Mike Pruett Fortinet GURU | Fortinet Training Videos
kwik

No security features are activatie on the separate dns rule.
Jeroen

luk.scheepers wrote:
No security features are activatie on the separate dns rule.

Did you ever find a solution to the problem? I have the same problem on a 100D model. Even when al IPS/APP are deactivated.

gsarica

We're seeing the same messages, also show up as threats in the FortiView area as 'Failed Connection Attempts'. I have an active ticket opened with support, been going back and forth with some testing.

 

Edit: Also a Fortigate 100D with 5.4.1.

MikePruett
Valued Contributor

I am now officially in the same boat. Have a client running a 60D w/ 5.4.1 and it is seeing a lot of these. Weird stuff.

 

Nothing looks out of the ordinary on debugs so far.

Mike Pruett Fortinet GURU | Fortinet Training Videos
gsarica

Other things to note, not sure if any of you have similar setups that may be causing this:

 

-We're running dual WAN with load balancing. I see the issue with both WAN interfaces though in the logs so that doesn't seem to be it.

-We're also using OpenDNS as our DNS provider.

-I also see the source interface is sometimes LAN which would be correct and also sometimes 'unknown-0'. Not sure what that means at all.

gsarica

I got this response from support, though we're hesitant to delete any session helpers:

 

By design FortiGate looks for invalid/failed DNS traffic and will mark it as action=dns or in the GUI as "Action Deny: DNS error". This happens if the DNS query is not successful returns any other status than NOERROR.  This is an expected behavior in version 5.4 where the firewall logs any invalid DNS traffic. The firewall action itself is allow/pass, but the bad reply from the server is not forwarded back to the requesting client thus showing the "Deny: DNS Error" message. Invalid DNS traffic would be i.e. UDP packets on port 53 that are not DNS traffic, packets are over sized, bad checksum etc.  ** Can you try to delete the dns session helper from session-helper configuration:  How session helper works:  The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to. Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. It can happen that the information expected by the security policy is not contained in the header/payload of the packet and that is when the packet is denied or dropped; session helper for DNS is not mandatory for which reason you can delete it and it should work properly after.  DELETE:  #config system session-helper  #show  find the one for DNS and than edit it by giving the number)  #edit 14 <---- I checked on the remote session it is "14"  #set name dns-udp  set protocol 17  set port 53  next  #delete 14 <------  end  Explanation on Deny: IP connection error:  This is already known issue in 5.4.X and developers is still working on this issue. 

Top Kudoed Authors