Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
heyyo
Contributor

How to see if DNS server send a NXDOMAIN error

Hi,

 

I am currently working on this KB: FortiGate alt-primary, alt-secondary DNS ... - Fortinet Community

It mentions that Public DNS servers return a name resolution error 'NXDOMAIN' so that another server selection takes place between alt-primary and alt-secondary DNS servers.

 

How do I know if the Public DNS server returns an NXDOMAIN error? Do we see it using debug?

I am not able to successfully implement the KB for internal look ups, but for external look ups it is working as expected.

Anything else which I can do to trouble shoot or look into?

 

Thank you!

3 Solutions
fricci_FTNT
Staff
Staff

Hi @heyyo ,

 

NXDOMAIN errors are related to not existent domain. To check that you could run a packet capture and analyse traffic with wireshark on a test client.
Alternatively you can run a packet capture on the FortiGate filtering by the DNS port 53 and the DNS server IP.
Bear in mind that if the DNS traffic uses DoH (DNS over HTTPS) or DoT (DNS over TLS) you may not be able to see the pcap content.

You may try to run the following debug and check if you are able to see NXDOMAIN errors:

diag debug application dnsproxy -1
diag debug console timestamp en
diag debug en

 

If using DNS port 53, the best way to see the DNS response should be running the packet sniffer below and convert it to analyse it with wireshark:
diag debug sniffer any "host x.x.x.x and host y.y.y.y and port 53" 6 0 l #<-----where x.x.x.x is the client IP and y.y.y.y is the DNS server IP


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-diagnose-sniffer-packet-data...


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

fricci_FTNT

Hi @heyyo ,

 

I have just tested it from a Windows client using nslookup, setting the DNS server of my choice and running Wireshark. Below a screenshot of my test result:

test-DNS-NXDOMAIN.PNG

 

The answer I get in the DNS response is "no such name", reply code (3).

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

Yurisk
SuperUser
SuperUser

AS the KB article you pointed to mentions that it is applicable only when using DOH/DOT, i.e. DNS traffic is being encrypted, the only way to try and see the resolving process on FGT is indeed to run debug. I am not sure about DOH/DOT traffic debug - if it has its own daemon and debug, but try starting with usual DNS proxy debug: https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet... 

 

P.S. If someone knows about specific DOH/DOT debug on Forti it would make a great KB Article :)

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
3 REPLIES 3
fricci_FTNT
Staff
Staff

Hi @heyyo ,

 

NXDOMAIN errors are related to not existent domain. To check that you could run a packet capture and analyse traffic with wireshark on a test client.
Alternatively you can run a packet capture on the FortiGate filtering by the DNS port 53 and the DNS server IP.
Bear in mind that if the DNS traffic uses DoH (DNS over HTTPS) or DoT (DNS over TLS) you may not be able to see the pcap content.

You may try to run the following debug and check if you are able to see NXDOMAIN errors:

diag debug application dnsproxy -1
diag debug console timestamp en
diag debug en

 

If using DNS port 53, the best way to see the DNS response should be running the packet sniffer below and convert it to analyse it with wireshark:
diag debug sniffer any "host x.x.x.x and host y.y.y.y and port 53" 6 0 l #<-----where x.x.x.x is the client IP and y.y.y.y is the DNS server IP


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-diagnose-sniffer-packet-data...


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
fricci_FTNT

Hi @heyyo ,

 

I have just tested it from a Windows client using nslookup, setting the DNS server of my choice and running Wireshark. Below a screenshot of my test result:

test-DNS-NXDOMAIN.PNG

 

The answer I get in the DNS response is "no such name", reply code (3).

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Yurisk
SuperUser
SuperUser

AS the KB article you pointed to mentions that it is applicable only when using DOH/DOT, i.e. DNS traffic is being encrypted, the only way to try and see the resolving process on FGT is indeed to run debug. I am not sure about DOH/DOT traffic debug - if it has its own daemon and debug, but try starting with usual DNS proxy debug: https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet... 

 

P.S. If someone knows about specific DOH/DOT debug on Forti it would make a great KB Article :)

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors