Wildcard FQDN address objects do not instantly resolve the names like non-wildcard objects. Instead, for wildcard objects, the Fortigate watches DNS queries as they pass through the firewall and it sniffs the IP addresses that are returned from DNS servers. The address objects will cache the IP for the length of the DNS TTL and then flush the IP from the address record (though that can be manipulated to a static TTL in the CLI).
The problem we see quite frequently is that if devices have DNS servers at a main hub site and check their DNS from the hub across an IPSEC tunnel, the Fortigate does not see that traffic and the address objects are never populated with IP addresses. The Fortigate at the hub site sees the traffic because the DNS server forwards the request to a public DNS server and gets a response, so the hub Fortigate is always up to date. But the branch Fortigates do not see that traffic, I'm assuming because they don't watch IPSEC VPN tunnels to sniff DNS traffic?
Is there a setting that we can change so that they will read traffic over the VPN so that the address objects are populated?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @bascheew,
Can you please share the DNS configuration from the spoke and the output of the following debugs.
Show full system dns
Debug of the DNS Proxy and mention what would be the FQDN we have to focus on.
diag debug application dnsproxy -1
diag debug enable
Per my knowledge, there are no additional settings required to read DNS traffic over IPSec Tunnel.
Thank you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.