Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andre_amaro
New Contributor

Many "DNS-no-domain" errors

Dear,

Analyzing the logs on my WLAN I see hundreds of repeated error messages. Failure Details:

 

Action: DNS-no-domain Reason: Server 120.64.11.10 replied "non-existing domain" Message: DNS lookup of from client failed with "non-existing domain"

 

This type of error is displayed for all APs. In "Reason" the IP varies a bit. Any idea what that might be?

 

 

Best Regards

André

11 REPLIES 11
hixeN
New Contributor

Hello, I have the same problem of you andre.amaro i see theses logs in my fortiGate/Logs/Wifi Events. You or another one did find the resolution ? With the support i hide theses logs on my fortiGate to avoid so many entries in my fortianalyzer. But still i think i have problems with my clients in wifi and i think theses logs are the problem. Regards, Guillaume

boneyard
Valued Contributor

can you share some of the DNS entries which are reported for this?

 

it can just be the client is requesting non existing hostnames.

hixeN
New Contributor

Hello Boneyard,

 

Yes sure, thank you for your help.

 

I haven't theses entries for lan interfaces for exemple. We only see in log/wifi events that's why i was think problem was on the wifi configuration.

 

Regards,

Guillaume

 

boneyard
Valued Contributor

i believe that it is because for some reason for the WiFi the FortiGate logs the failed DNS requests, it doesn't do this on the LAN side.

 

looking at your screenshot the main cause is that NTS2000.nts2000.lan host. do your WiFi clients have an internal DNS server configured which should resolve this hostname? or do they have an external one which can't understand this hostname?

hixeN
New Contributor

Boneyard,

 

Well i have 2 DNS server with the nts2000.lan domain for exemple :

1 site A

1 site B

 

So a client can request at local (site1) and sometimes to the other site (site2) over IPsec VPN. The DNS servers are on Windows servers and not FortiGate.

But when a client ask an IP DHCP from the FortiGate he have the good local IP of the primary DNS server and secondary in remote.

boneyard
Valued Contributor

don't quite understand it.

 

connect a client to the WiFi (WiFi_Marsac or Ayor), is it able to resolve: NTS2000.nts2000.lan

yzhang_FTNT

These DNS data are collected by the FAP and reported to the FGT, which generates these logs. They are wireless related logs. 

 

>>So a client can request at local (site1) and sometimes to the other site (site2) over IPsec VPN.

 

Could each DNS server support all local host names? Or it just contains part of them? If it is the later case, try to add all local names to it.

 

 

hixeN

Hello,

 

@Boneyard Yes all my clients can resolve the domain "nts2000.lan". But on the example I don't have a machine called "nts2000".nts2000.lan. And this is the case for all other entries in my logs :

[ul]
  • nts2000.nts2000.lan
  • wpad.nts2000.lan
  • api.intelsa.intel.com
  • oqvhelrfax.nts2000.lan
  • yydniabojl.nts2000.lan
  • chcfxti.nts2000.lan[/ul]

    None of those above match a device in my group.

     

     

    @yzhang_FTNT Yes all my DNS servers support each device on my LAN. These servers are synchronized between them every 15 minutes. But in the logs it's indicatated that it's the DNS server which answers domain is non-existent :

    [ul]
  • Server X.X.X.X replied "non-existing domain".[/ul]

     

    Or then this is the FortiGate / FortiAP misidentifies the devices and sends incorrect data to the DNS server. Maybe that explains the weird name resolutions above.

     

    Regards, MOREAU Guillaume

  • yzhang_FTNT

    FAP just sniffs the DNS packets, and it does not modify them.

     

    >> Server X.X.X.X replied "non-existing domain".

     

    The above log is generated for the DNS server response message for a query with reply code (3) -- no such name.

     

    You can use a wireshark to sniff client DNS traffic that leave the AP to see whether they are from clients. Or you can just do the sniff on the wireless client if it is doable.