Hello fellows,
I have a problem with the DNS resolution of www.epicgames.com in particular. I have not yet noticed any other FQDNs.
The following configuration at my home:
Fortigate assigns an IP address to all LAN clients and is the local resolver and gateway, this is set via DHCP.
My private Fortigate 61F (FortiOS 7.2.8) is (sometimes) not able to resolve this FQDN. Accordingly, the browser reports back that the domain could not be resolved (DNS_PROBE_FINISHED_NXDOMAIN).
Same result when I try it with nslookup (** server can't find www.epicgames.com: SERVFAIL)
It also does not work on the Fortigate itself (execute ping www.epicgames.com - Unable to resolve hostname.).
However, if I use nslookup to query the server 9.9.9.9, for example, it works fine. It also works with the server 96.45.46.46 from Fortinet (both upstream resolvers).
There are no security profiles set in the rules.
What should I do, how can I find out what the problem is?
After restarting the FortiGate, it usually works, but this is not a viable solution for me.
Thank you very much for your ideas!
Solved! Go to Solution.
Hi @Mictronic ,
Trying to think what could be the difference between a ping from the FortiGate CLI to resolve the name vs using a nslookup on the destination DNS server. Could it be "set protocol dot"? When we run an nslookup from a client, it would be simple UDP vs DoT which FortiGate is using. Not sure if the ISP messes up with DoT sometimes? Worth giving it a shot by changing it to plain text and see if that resolves the problem.
If that also does not resolve the problem, then a packet capture when trying to resolve from the FortiGate CLI to see if the packets are sent out and received or not would help check further.
Hi @Mictronic ,
What is the DNS server configured on the Fortigate itself? Did you try configuring this DNS server on the end host directly and see if you run into similar problems? This might help narrow down the issue.
Hello @mpapisetty
thanks for your reply!
As I already wrote, 9.9.9.9 and 96.45.46.46 are the upstream DNS servers of Fortigate.
See here:
config system dns
set primary 9.9.9.9
set secondary 96.45.46.46
set protocol dot
set server-hostname “globalsdns.fortinet.net”
set alt-primary 1.1.1.1
set alt-secondary 1.0.0.1
end
And when I query these directly, I get a correct answer. In my opinion it must be somewhere in the dnsproxy of the Fortigate.
But where?
Hi @Mictronic ,
Trying to think what could be the difference between a ping from the FortiGate CLI to resolve the name vs using a nslookup on the destination DNS server. Could it be "set protocol dot"? When we run an nslookup from a client, it would be simple UDP vs DoT which FortiGate is using. Not sure if the ISP messes up with DoT sometimes? Worth giving it a shot by changing it to plain text and see if that resolves the problem.
If that also does not resolve the problem, then a packet capture when trying to resolve from the FortiGate CLI to see if the packets are sent out and received or not would help check further.
Hey man,
I didn't expect that!
Thanks for your hint, disabling dns over tcp actually fixed the problem.
Thank you very much for the idea!
Best regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.