Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bascheew
New Contributor III

Fortigates not resolving wildcard address objects when the DNS servers are across an IPSEC tunnel

Wildcard FQDN address objects do not instantly resolve the names like non-wildcard objects.  Instead, for wildcard objects, the Fortigate watches DNS queries as they pass through the firewall and it sniffs the IP addresses that are returned from DNS servers.  The address objects will cache the IP for the length of the DNS TTL and then flush the IP from the address record (though that can be manipulated to a static TTL in the CLI).

The problem we see quite frequently is that if devices have DNS servers at a main hub site and check their DNS from the hub across an IPSEC tunnel, the Fortigate does not see that traffic and the address objects are never populated with IP addresses.  The Fortigate at the hub site sees the traffic because the DNS server forwards the request to a public DNS server and gets a response, so the hub Fortigate is always up to date.  But the branch Fortigates do not see that traffic, I'm assuming because they don't watch IPSEC VPN tunnels to sniff DNS traffic?

 

Is there a setting that we can change so that they will read traffic over the VPN so that the address objects are populated? 

1 REPLY 1
maulishshah
Staff
Staff

Hi @bascheew

 

Can you please share the DNS configuration from the spoke and the output of the following debugs. 

 

Show full system dns

 

Debug of the DNS Proxy and mention what would be the FQDN we have to focus on.

 

diag debug application dnsproxy -1 

diag debug enable

 

Per my knowledge, there are no additional settings required to read DNS traffic over IPSec Tunnel. 

 

Thank you. 

Maulish Shah
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors