Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akononov
New Contributor

Fortigate 100D Fortios 5.4.1 Deny: DNS error

Hello!

After upgrade our 100D, in Forward traffic we can see messages:

IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan1

ApplicationNameUnknownCategoryunscannedProtocoludp

ActionActionDeny: DNS error

 

AND

 

IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan2

ApplicationNameUnknownCategoryunscannedProtocoludp

ActionActionDeny: IP connection error
27 REPLIES 27
tmazowski

lmccuistian wrote:

I'm have the same issue on my Fortigate 100E FortiOS 5.4.4.  I tried deleting the session helper, without luck (but it didn't seem to hurt anything either).  I also verified my DNS Source IP is 0.0.0.0 already too.

 

@MikePruett, you stated you created some new security sensors. Are you saying you created new security profiles (AV, Web Filter, App Control, Etc..) across the board, or just for the ones that tied to a policy for DNS traffic?

lmccuistian - what are you using for system DNS? If you have private DNS servers set there, try switching them to FortiGuard or public DNS to see if it helps. We typically have that set up, and then use internal DNS for any DHCP scopes running on the FortiGate.

lmccuistian

I tried that, but no luck there either.  Still logging Deny: DNS Errors and also Deny: IP Connection Errors.

 

On my other Fortigate devices I typically have the primary DNS set to an internal DNS and secondary set to external.  The primary reason for this is so that in my logs, it will resolve internal hostnames.

MikePruett

On one of the Gates that I was experiencing this issue with I had to recreate profiles for my security functions. It's as though the originals were corrupt post update.

Mike Pruett Fortinet GURU | Fortinet Training Videos
lmccuistian

I was using the default security profiles that ship with the unit, just had modified them a bit to meet my need.  But I just tried as you suggested and created brand new profiles for AV, Webfilter, App Control, Proxy, and Certificate Inspection applied the new ones to every policy that is using them, but it made no change for me.  I'm getting nothing but Deny: IP connection errors in my log.

OGIGuy

FWIW, I just installed a Fortigate 200D with FortiOS 5.4.4. About 30% of the DNS requests were getting the DNS Error message. Deleting the DNS session-helper seems to have eliminated all the DNS error messages. Throughput greatly improved.

Thanks for the fix, gsarica and FortiSupport.

live89

I have the same situation were we have FML behind FGT and in FAZ we see lots of "Deny: DNS error" and "IP connection error" from FML source IP.

I tried deleting the DNS session-helper but that didn't help.

And in FML system events we see:

 

UDP DNS response is truncated, try DNS query in TCP (happened 115900 time(s)), DNS question section:{name=yahoo.com, qtype=16, class="1"}

 

Not really sure what to do.

Thanks

Thanks
dlopez
New Contributor

Hello,

Same errors with same device and same OS.

Did you fix the issue ?

Thanks

Regs

lmccuistian

Sorry, I didn't update this thread sooner.  I think I found the solution to my problem. It seems the log severity was set much higher than it should have been. I set the log severity to informational by using the commands below and now I have a usable log. config log mem filter set severity information end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors