Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mictronic
New Contributor II

Issue resolving www.epicagames.com

Hello fellows,

 

I have a problem with the DNS resolution of www.epicgames.com in particular. I have not yet noticed any other FQDNs.

 

The following configuration at my home:
Fortigate assigns an IP address to all LAN clients and is the local resolver and gateway, this is set via DHCP.

My private Fortigate 61F (FortiOS 7.2.8) is (sometimes) not able to resolve this FQDN. Accordingly, the browser reports back that the domain could not be resolved (DNS_PROBE_FINISHED_NXDOMAIN).
Same result when I try it with nslookup (** server can't find www.epicgames.com: SERVFAIL)
It also does not work on the Fortigate itself (execute ping www.epicgames.com - Unable to resolve hostname.).
However, if I use nslookup to query the server 9.9.9.9, for example, it works fine. It also works with the server 96.45.46.46 from Fortinet (both upstream resolvers).

 

There are no security profiles set in the rules.

 

What should I do, how can I find out what the problem is?


After restarting the FortiGate, it usually works, but this is not a viable solution for me.

 

Thank you very much for your ideas!

 

 

Best regards,
Mic
Best regards,Mic
1 Solution
mpapisetty

Hi @Mictronic ,

Trying to think what could be the difference between a ping from the FortiGate CLI to resolve the name vs using a nslookup on the destination DNS server. Could it be "set protocol dot"? When we run an nslookup from a client, it would be simple UDP vs DoT which FortiGate is using. Not sure if the ISP messes up with DoT sometimes? Worth giving it a shot by changing it to plain text and see if that resolves the problem. 

 

If that also does not resolve the problem, then a packet capture when trying to resolve from the FortiGate CLI to see if the packets are sent out and received or not would help check further. 

-Manoj Papisetty

View solution in original post

4 REPLIES 4
mpapisetty
Staff
Staff

Hi @Mictronic ,

What is the DNS server configured on the Fortigate itself? Did you try configuring this DNS server on the end host directly and see if you run into similar problems? This might help narrow down the issue. 

-Manoj Papisetty
Mictronic

Hello @mpapisetty 

thanks for your reply!

 

As I already wrote, 9.9.9.9 and 96.45.46.46 are the upstream DNS servers of Fortigate.

See here:
config system dns
  set primary 9.9.9.9
  set secondary 96.45.46.46
  set protocol dot
  set server-hostname “globalsdns.fortinet.net”
  set alt-primary 1.1.1.1
  set alt-secondary 1.0.0.1
end

 

And when I query these directly, I get a correct answer. In my opinion it must be somewhere in the dnsproxy of the Fortigate.

 

But where?

 

Best regards,
Mic
Best regards,Mic
mpapisetty

Hi @Mictronic ,

Trying to think what could be the difference between a ping from the FortiGate CLI to resolve the name vs using a nslookup on the destination DNS server. Could it be "set protocol dot"? When we run an nslookup from a client, it would be simple UDP vs DoT which FortiGate is using. Not sure if the ISP messes up with DoT sometimes? Worth giving it a shot by changing it to plain text and see if that resolves the problem. 

 

If that also does not resolve the problem, then a packet capture when trying to resolve from the FortiGate CLI to see if the packets are sent out and received or not would help check further. 

-Manoj Papisetty
Mictronic

Hey man,
I didn't expect that!

Thanks for your hint, disabling dns over tcp actually fixed the problem.

Thank you very much for the idea!

Best regards

Best regards,
Mic
Best regards,Mic
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors