FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Description
This article describes the different debug information that can be collected from the CLI of the FortiGate, prior to FortiOS 3.0 MR6 and since MR7.

The FortiGate uses DNS for several of its functions, including communication with FortiGuard, sending email alerts, and URL blocking (using FQDN).

Solution
Prior to FortiOS 3.0 MR6, DNS troubleshooting was performed via the haproxy command :
diag debug haproxy dump
DNS proxy cache dump:
Cached [0x8c15c18]: Questions in query:
QR: update.fortiguard.net.
Cached [0x8c156d8]: Questions in query:
QR: www.fortinet.com.
---End of DNS proxy cache dump---
diag debug haproxy fqdndump
FQDN entry dump:
www.fortinet.com: ID(107) REF(1) EXPIRE(1224623673, ttl 3600) VD(0, ref 1)
---End of FQDN entry dump (total 1)--

Since MR7, a dnsproxy debug command is available on the FortiGate and can be queried with the following variants:
diag test application dnsproxy ?
1. Clear dns cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN

Below are examples of what the output should show when enabled.

  -  To clear the DNS cache :
diag test application dnsproxy 1
  -  DNS statistics :
diag test application dnsproxy 2
DNS_CACHE: alloc=4
DNS UDP: req=13, res=4, fwd=4, hits=9, alloc=0 cur=4
FQDN: alloc=1
DNS TCP: req=0, alloc=0
  -  DNS settings:

diag test application dnsproxy 3

Management: vd=root, id=0, master=1:1
DNS server 0: x.x.x.x:53
DNS server 1: x.x.x.x:53
DNS server 2: x.x.x.x:53
DNS server 3: x.x.x.x:53
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: mgmt_s=7, mgmt_c=8, mgmt_c2=9, ha_s=5 ha_c=6 unix_s=10, unix_nb_s=11, unix_nc_s=12
relay dmz in root: fd=13
relay internal in root: fd=14
dns_out_sock=8, mgmt_recreate_sock=0 mgmt_switched=0, jiffies=91669
FQDN: hash_size=1024, current_query=1024
DNS FD: tcp_s=15

diag test application dnsproxy 6
vfid=0 name=www.fortinet.com: timer running, min_ttl=43200:43129, slot=-1, num=1 X.X.X.X
  -  This will simply reload and re-query the FQDN :
diag test application dnsproxy 4
diag test application dnsproxy 5

There is also another variant that can be used to test and query a specific URL and follow the DNS lookup request on the FortiGate, this can be done by enabling the following debug and the performing an ICMP test, the example uses www.fortinet.com as follows:

diag debug application dnsproxy -1

execute ping www.fortinet.com
unix_receive_request()-521
handle_dns_request()-378: pktlen=32, qr=0
dns_forward_request()-303
dns_forward_request()-316: Send 32B to x.y.z.t:53 via fd=8
mgmt_receive_response()-504
mgmt_receive_response()-510: len=116, addr=x.y.z.t:53, addrlen=16
handle_dns_response()-423
dns_set_min_ttl()-153: QR: www.fortinet.com
dns_set_min_ttl()-161: Offset of 1st RR: 32 Number of RR's: 5
dns_set_min_ttl()-171: RR TTL: 43200
dns_set_min_ttl()-171: RR TTL: 277
dns_set_min_ttl()-171: RR TTL: 277
dns_set_min_ttl()-171: RR TTL: 277
dns_set_min_ttl()-171: RR TTL: 277
dns_cache_response()-229: Min ttl = 277
dns_forward_response()-330
dns_forward_response()-334: Send 32B via fd=10

As of Version 5.4 of Fortigate more information was added:
diag test application dnsproxy ?
1. Clear DNS cache                                           
2. Show stats                                                
3. Dump DNS setting                                          
4. Reload FQDN                                               
5. Requery FQDN                                              
6. Dump FQDN                                                 
7. Dump DNS cache                                            
8. Dump DNS DB                                               
9. Reload DNS DB                                             
10. Dump secure DNS policy/profile                           
11. Dump Botnet domain                                       
12. Reload Secure DNS setting                                
13. Show Hostname cache                                      
14. Clear Hostname cache                                     
15. DNS debug bit mask

As of Version 6.0 of Fortigate more information was added:
diag test application dnsproxy ?
1. Clear DNS cache                                           
2. Show stats                                                
3. Dump DNS setting                                          
4. Reload FQDN                                               
5. Requery FQDN                                              
6. Dump FQDN                                                 
7. Dump DNS cache                                            
8. Dump DNS DB                                               
9. Reload DNS DB                                             
10. Dump secure DNS policy/profile                           
11. Dump Botnet domain                                       
12. Reload Secure DNS setting                                
13. Show Hostname cache                                      
14. Clear Hostname cache 
15. Show SDNS rating cache    
16. Clear SDNS rating cache                                
17. DNS debug bit mask
Note: Please include any of these debugs in Support ticket raised when trying to resolve a DNS issue on the FortiGate. Fortinet support will advise further should other debug be required.


Related Articles

Technical Tip: How to perform a hostname to IP address resolution on a FortiGate unit

Contributors