Hi,
I am currently working on this KB: FortiGate alt-primary, alt-secondary DNS ... - Fortinet Community
It mentions that Public DNS servers return a name resolution error 'NXDOMAIN' so that another server selection takes place between alt-primary and alt-secondary DNS servers.
How do I know if the Public DNS server returns an NXDOMAIN error? Do we see it using debug?
I am not able to successfully implement the KB for internal look ups, but for external look ups it is working as expected.
Anything else which I can do to trouble shoot or look into?
Thank you!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @heyyo ,
NXDOMAIN errors are related to not existent domain. To check that you could run a packet capture and analyse traffic with wireshark on a test client.
Alternatively you can run a packet capture on the FortiGate filtering by the DNS port 53 and the DNS server IP.
Bear in mind that if the DNS traffic uses DoH (DNS over HTTPS) or DoT (DNS over TLS) you may not be able to see the pcap content.
You may try to run the following debug and check if you are able to see NXDOMAIN errors:
diag debug application dnsproxy -1
diag debug console timestamp en
diag debug en
If using DNS port 53, the best way to see the DNS response should be running the packet sniffer below and convert it to analyse it with wireshark:
diag debug sniffer any "host x.x.x.x and host y.y.y.y and port 53" 6 0 l #<-----where x.x.x.x is the client IP and y.y.y.y is the DNS server IP
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
Best regards,
Created on 07-08-2024 07:14 AM Edited on 07-08-2024 07:14 AM
Hi @heyyo ,
I have just tested it from a Windows client using nslookup, setting the DNS server of my choice and running Wireshark. Below a screenshot of my test result:
The answer I get in the DNS response is "no such name", reply code (3).
Best regards,
AS the KB article you pointed to mentions that it is applicable only when using DOH/DOT, i.e. DNS traffic is being encrypted, the only way to try and see the resolving process on FGT is indeed to run debug. I am not sure about DOH/DOT traffic debug - if it has its own daemon and debug, but try starting with usual DNS proxy debug: https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet...
P.S. If someone knows about specific DOH/DOT debug on Forti it would make a great KB Article :)
Hi @heyyo ,
NXDOMAIN errors are related to not existent domain. To check that you could run a packet capture and analyse traffic with wireshark on a test client.
Alternatively you can run a packet capture on the FortiGate filtering by the DNS port 53 and the DNS server IP.
Bear in mind that if the DNS traffic uses DoH (DNS over HTTPS) or DoT (DNS over TLS) you may not be able to see the pcap content.
You may try to run the following debug and check if you are able to see NXDOMAIN errors:
diag debug application dnsproxy -1
diag debug console timestamp en
diag debug en
If using DNS port 53, the best way to see the DNS response should be running the packet sniffer below and convert it to analyse it with wireshark:
diag debug sniffer any "host x.x.x.x and host y.y.y.y and port 53" 6 0 l #<-----where x.x.x.x is the client IP and y.y.y.y is the DNS server IP
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
Best regards,
Created on 07-08-2024 07:14 AM Edited on 07-08-2024 07:14 AM
Hi @heyyo ,
I have just tested it from a Windows client using nslookup, setting the DNS server of my choice and running Wireshark. Below a screenshot of my test result:
The answer I get in the DNS response is "no such name", reply code (3).
Best regards,
AS the KB article you pointed to mentions that it is applicable only when using DOH/DOT, i.e. DNS traffic is being encrypted, the only way to try and see the resolving process on FGT is indeed to run debug. I am not sure about DOH/DOT traffic debug - if it has its own daemon and debug, but try starting with usual DNS proxy debug: https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet...
P.S. If someone knows about specific DOH/DOT debug on Forti it would make a great KB Article :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.