Wildcard FQDN address objects do not instantly resolve the names like non-wildcard objects. Instead, for wildcard objects, the Fortigate watches DNS queries as they pass through the firewall and it sniffs the IP addresses that are returned from DNS servers. The address objects will cache the IP for the length of the DNS TTL and then flush the IP from the address record (though that can be manipulated to a static TTL in the CLI).
The problem we see quite frequently is that if devices have DNS servers at a main hub site and check their DNS from the hub across an IPSEC tunnel, the Fortigate does not see that traffic and the address objects are never populated with IP addresses. The Fortigate at the hub site sees the traffic because the DNS server forwards the request to a public DNS server and gets a response, so the hub Fortigate is always up to date. But the branch Fortigates do not see that traffic, I'm assuming because they don't watch IPSEC VPN tunnels to sniff DNS traffic?
Is there a setting that we can change so that they will read traffic over the VPN so that the address objects are populated?
Hi @bascheew,
Can you please share the DNS configuration from the spoke and the output of the following debugs.
Show full system dns
Debug of the DNS Proxy and mention what would be the FQDN we have to focus on.
diag debug application dnsproxy -1
diag debug enable
Per my knowledge, there are no additional settings required to read DNS traffic over IPSec Tunnel.
Thank you.
Hi @maulishshah
I'm replying on behalf of the OP.
Here is the DNS config
config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol dot
set ssl-certificate "Fortinet_Factory"
set server-hostname "globalsdns.fortinet.net"
set ip6-primary ::
set ip6-secondary ::
set timeout 5
set retry 2
set dns-cache-limit 5000
set dns-cache-ttl 1800
set cache-notfound-responses disable
set source-ip 0.0.0.0
set interface-select-method auto
set server-select-method least-rtt
set alt-primary 0.0.0.0
set alt-secondary 0.0.0.0
set log disable
end
And here is a snippet of the debug. The FQDN in question is *.gebbsrcm.com
[worker 0] fqdn_ha_sync_send_addr_response()-586: send FQDN_HA_SYNC_T_ADDR_RESPONSE
[worker 0] fqdn_ha_sync_handler()-1539: recv FQDN_HA_SYNC_T_ADDR_REQUEST
[worker 0] fqdn_ha_sync_recv_addr_request()-1428: vfid=0 fqdn=*.gebbsrcm.com
[worker 0] fqdn_ha_sync_send_addr_response()-586: send FQDN_HA_SYNC_T_ADDR_RESPONSE
[worker 0] batch_on_read()-3352
[worker 0] handle_hostname_add_msg()-549
[worker 0] dns_visibility_log_hostname()-241: vd=0 pktlen=63
[worker 0] wildcard_fqdn_response_cb()-901: vd=0 pktlen=63
Thanks!
Refer:-
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118
Thanks for the reply!
As far as I can tell the fqdn address is configured correctly. Running "diagnose firewall fqdn list-ip" on the hub router shows it resolved to an IP but not on the spoke. I increased the cache-ttl as suggested but haven't seen any difference.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1113 | |
759 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.