Please make sure you are allowing http, https, dns, ntp, and port 8888 at a minimum from your internal to wan.
Also, I would recommend going to system, fortiguard. Make sure under fortiguard filtering port is set to 8888.
If you have any other interfaces, I would make sure they also have http, https, dns, and ntp allowed to wan.
In addition, I would recommend setting your FGT dns to the closest server to you. I have had the best luck if an internal dns is used and then place forwarders in active directory dns to whatever dns you want. Example, if you use Comcast, use their dns servers in FGT. Also, place any other network dns to the closest dns server. Example, If you have a separate wifi interface, specify that same dns server. Example, Comcast is 184.108.40.206.
Waiting to receive your config if you are still having problems.
Thank you for contacting Fortinet Technical Support.
My name *** and I will assist you with this issue.
You will see the following errors if the conditions are met:
1. DNS Queries -- DNS query returns anything but NOERROR.
"action" in log is "dns"
By design FortiGate looks for invalid/failed DNS traffic and will mark it as action=dns or in the GUI as "Action Deny: DNS error".
This happens if the DNS query is not successful returns any other status than NOERROR.
This is an expected behavior in version 5.4 where the firewall logs any invalid DNS traffic.
The firewall action itself is allow/pass, but the bad reply from the server is not forwarded back to the requesting client thus showing the "Deny: DNS Error" message.
2. Host not reachable -- If trying to reach an IP address that do not respond.
"action" in log is "ip-conn"
In both cases of your logs the connection actually allowed by the firewall, for DNS you receive anything but NOERROR and for IP connection error, the destination host does not respond.
Please let me know whether you need further assistance or the ticket can be closed.
After that i did some Traffic Capture and we looked on it.
in deed there were many errors because of for example a DNS Suffix.
As stated in the above answers your requests
in your provided packet capture from the firewall there are 106 DNS packets.
87 have been returned with NOERROR
19 have been returned with "No such name".
That is about 18% non successful requests and are leading to the messages you question.
From my point of view it is exactly behaving as I explained.
For your reference a couple of examples below:
2 2017-01-27 12:42:13.143902 172.16.1.1 172.16.4.200 DNS 164 Standard query response 0x35a0 No such name A wpad.stuttgart.****.local SOA dc01.*****.local
We didn't resolve this. Support sent us the following:
** Can you try to delete the dns session helper from session-helper configuration:
How session helper works:
The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to. Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. It can happen that the information expected by the security policy is not contained in the header/payload of the packet and that is when the packet is denied or dropped; session helper for DNS is not mandatory for which reason you can delete it and it should work properly after.
#config system session-helper
find the one for DNS and than edit it by giving the number)
#edit 14 <---- I checked on the remote session it is "14"
#set name dns-udp
set protocol 17
set port 53
#delete 14 <------
We haven't tried this though since we're hesitant to straight up delete anything without being able to test first (it's our only production firewall).
I'm have the same issue on my Fortigate 100E FortiOS 5.4.4. I tried deleting the session helper, without luck (but it didn't seem to hurt anything either). I also verified my DNS Source IP is 0.0.0.0 already too.
@MikePruett, you stated you created some new security sensors. Are you saying you created new security profiles (AV, Web Filter, App Control, Etc..) across the board, or just for the ones that tied to a policy for DNS traffic?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.