Fortinet black logo

Cookbook

Troubleshooting for DNS filter

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:150448
Download PDF

Troubleshooting for DNS filter

If you have trouble with the DNS Filter profile in your policy, start with the following troubleshooting steps:

Troubleshooting connection between FortiGate and FortiGuard SDNS server

Ensure FortiGate can connect to the FortiGuard SDNS server. By default, FortiGate uses UDP port 53 to connect to the SDNS server.

To check the connection between FortiGate and the SDNS server in the CLI:
  1. In the CLI Console, run the command diagnose test application dnsproxy 3 to find the FortiGuard SDNS server.
    worker idx: 0
    vdom: root, index=0, is master, vdom dns is disabled, mip-169.254.0.1 dns_log=1
    dns64 is disabled
    vdom: vdom1, index=1, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1
    dns64 is disabled
    dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:208.91.112.53:53 tz=0 req=0 to=0 res=0 rt=0 secure=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:208.91.112.52:53 tz=0 req=0 to=0 res=0 rt=0 secure=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:62.209.40.75:53 tz=60 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:209.222.147.38:53 tz=-300 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:173.243.138.221:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:45.75.200.89:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
    DNS FD: udp_s=13 udp_c=16:17 ha_c=21 unix_s=22, unix_nb_s=23, unix_nc_s=24
            v6_udp_s=12, v6_udp_c=19:20, snmp=25, redir=14
    DNS FD: tcp_s=27, tcp_s6=26, redir=28
    FQDN: hash_size=1024, current_query=1024
    DNS_DB: response_buf_sz=4096
    LICENSE: expiry=2029-08-21, expired=0, type=2
    FDG_SERVER:208.91.112.220:53
    FGD_CATEGORY_VERSION:8
    SERVER_LDB: gid=6f00, tz=-420, error_allow=0
    FGD_REDIR:208.91.112.55
  2. Check the FDG_SERVER line. The SDNS server IP address might be different depending on location. For this example, it is:
    FDG_SERVER:208.91.112.220:53
  3. In the CLI Console under the management VDOM, run the command execute ping 208.91.112.220 to check the communication between the FortiGate and the SDNS server.
  4. Optionally, you can also check the communication using a PC on the internal network.
    1. Disable the DNS Filter profile so that it does not affect your connection check.
    2. Ping your ISP or a public DNS service provides's DNS server, for example, Google's public DNS server of 8.8.8.8:
      #dig @8.8.8.8 www.fortinet.com
      

      Or specify the SDNS server as DNS server:

      #dig @208.91.112.220 www.fortinet.com
    3. Check that you can get domain www.fortinet.com A record from the DNS server which shows that UDP port 53 connection path is not blocked.
      #dig @8.8.8.8 www.fortinet.com
      ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35121
      ;; Flags: qr rd ra; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 0
      
      ;; QUESTION SECTION:
      ;; www.fortinet.com.            IN      A
      
      ;; ANSWER SECTION:
      www.fortinet.com.       289     IN      CNAME   fortinet-prod4-858839915.us-west-1.elb.amazonaws.com.
      fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       52.8.142.247
      fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       13.56.55.78
      
      ;; Received 129 B
      ;; Time 2019-04-29 14:13:18 PDT
      ;; From 8.8.8.8@53(UDP) in 13.2 ms

Checking FortiGuard DNS Rating Service license

The FortiGuard DNS Rating Service shares the license with FortiGuard Web Filter so you must have a valid Web Filter license for the DNS Rating Service to work. While the license is shared, the DNS Rating Service uses a separate connection mechanism from the Web Filter Rating.

To check the DNS Rating Service license in the CLI:
  1. In the CLI Console, run the command diagnose test application dnsproxy 3.
  2. Look for the LICENSE line and check that the license has not expired, for example:

    LICENSE: expiry=2029-08-21, expired=0, type=2

  3. Check the dns-server lines. Some dns-server lines show secure=1 ready=1. These lines show the functioning SDNS servers. For example:

    dns-server:208.91.112.220:53 tz=-480 req=7 to=0 res=7 rt=1 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0

Checking FortiGate DNS Filter profile configuration

To check the FortiGate DNS Filter profile configuration:
  1. Create a local domain filter and set the Action to Redirect to Block Portal.

    See Local domain filter.

  2. Apply this DNS Filter profile to the policy.
  3. From the client PC, DNS query this domain.

If you get the profile's redirected portal address, that shows that the DNS Filter profile works as expected.

More troubleshooting steps

To reload the DNS proxy in the CLI:
(global)#diagnose test application dnsproxy 99
To debug DNS proxy details:

These commands might create more output in your console.

#diagnose debug application dnsproxy -1

#diagnose debug enable/disable

DNS proxy command reference

Use the following diagnose test application dnsproxy command line options to check DNS proxy status and help with troubleshooting.

(global) # diagnose test application dnsproxy ?

worker idx: 0

1. Clear DNS cache

2. Show stats

3. Dump DNS setting

4. Reload FQDN

5. Requery FQDN

6. Dump FQDN

7. Dump DNS cache

8. Dump DNS DB

9. Reload DNS DB

10. Dump secure DNS policy/profile

11. Dump Botnet domain

12. Reload Secure DNS setting

13. Show Hostname cache

14. Clear Hostname cache

15. Show SDNS rating cache

16. Clear SDNS rating cache

17. DNS debug bit mask

99. Restart dnsproxy worker

Troubleshooting for DNS filter

If you have trouble with the DNS Filter profile in your policy, start with the following troubleshooting steps:

Troubleshooting connection between FortiGate and FortiGuard SDNS server

Ensure FortiGate can connect to the FortiGuard SDNS server. By default, FortiGate uses UDP port 53 to connect to the SDNS server.

To check the connection between FortiGate and the SDNS server in the CLI:
  1. In the CLI Console, run the command diagnose test application dnsproxy 3 to find the FortiGuard SDNS server.
    worker idx: 0
    vdom: root, index=0, is master, vdom dns is disabled, mip-169.254.0.1 dns_log=1
    dns64 is disabled
    vdom: vdom1, index=1, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1
    dns64 is disabled
    dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:208.91.112.53:53 tz=0 req=0 to=0 res=0 rt=0 secure=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:208.91.112.52:53 tz=0 req=0 to=0 res=0 rt=0 secure=0 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:62.209.40.75:53 tz=60 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:209.222.147.38:53 tz=-300 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:173.243.138.221:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:45.75.200.89:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
    DNS FD: udp_s=13 udp_c=16:17 ha_c=21 unix_s=22, unix_nb_s=23, unix_nc_s=24
            v6_udp_s=12, v6_udp_c=19:20, snmp=25, redir=14
    DNS FD: tcp_s=27, tcp_s6=26, redir=28
    FQDN: hash_size=1024, current_query=1024
    DNS_DB: response_buf_sz=4096
    LICENSE: expiry=2029-08-21, expired=0, type=2
    FDG_SERVER:208.91.112.220:53
    FGD_CATEGORY_VERSION:8
    SERVER_LDB: gid=6f00, tz=-420, error_allow=0
    FGD_REDIR:208.91.112.55
  2. Check the FDG_SERVER line. The SDNS server IP address might be different depending on location. For this example, it is:
    FDG_SERVER:208.91.112.220:53
  3. In the CLI Console under the management VDOM, run the command execute ping 208.91.112.220 to check the communication between the FortiGate and the SDNS server.
  4. Optionally, you can also check the communication using a PC on the internal network.
    1. Disable the DNS Filter profile so that it does not affect your connection check.
    2. Ping your ISP or a public DNS service provides's DNS server, for example, Google's public DNS server of 8.8.8.8:
      #dig @8.8.8.8 www.fortinet.com
      

      Or specify the SDNS server as DNS server:

      #dig @208.91.112.220 www.fortinet.com
    3. Check that you can get domain www.fortinet.com A record from the DNS server which shows that UDP port 53 connection path is not blocked.
      #dig @8.8.8.8 www.fortinet.com
      ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35121
      ;; Flags: qr rd ra; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 0
      
      ;; QUESTION SECTION:
      ;; www.fortinet.com.            IN      A
      
      ;; ANSWER SECTION:
      www.fortinet.com.       289     IN      CNAME   fortinet-prod4-858839915.us-west-1.elb.amazonaws.com.
      fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       52.8.142.247
      fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       13.56.55.78
      
      ;; Received 129 B
      ;; Time 2019-04-29 14:13:18 PDT
      ;; From 8.8.8.8@53(UDP) in 13.2 ms

Checking FortiGuard DNS Rating Service license

The FortiGuard DNS Rating Service shares the license with FortiGuard Web Filter so you must have a valid Web Filter license for the DNS Rating Service to work. While the license is shared, the DNS Rating Service uses a separate connection mechanism from the Web Filter Rating.

To check the DNS Rating Service license in the CLI:
  1. In the CLI Console, run the command diagnose test application dnsproxy 3.
  2. Look for the LICENSE line and check that the license has not expired, for example:

    LICENSE: expiry=2029-08-21, expired=0, type=2

  3. Check the dns-server lines. Some dns-server lines show secure=1 ready=1. These lines show the functioning SDNS servers. For example:

    dns-server:208.91.112.220:53 tz=-480 req=7 to=0 res=7 rt=1 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0

Checking FortiGate DNS Filter profile configuration

To check the FortiGate DNS Filter profile configuration:
  1. Create a local domain filter and set the Action to Redirect to Block Portal.

    See Local domain filter.

  2. Apply this DNS Filter profile to the policy.
  3. From the client PC, DNS query this domain.

If you get the profile's redirected portal address, that shows that the DNS Filter profile works as expected.

More troubleshooting steps

To reload the DNS proxy in the CLI:
(global)#diagnose test application dnsproxy 99
To debug DNS proxy details:

These commands might create more output in your console.

#diagnose debug application dnsproxy -1

#diagnose debug enable/disable

DNS proxy command reference

Use the following diagnose test application dnsproxy command line options to check DNS proxy status and help with troubleshooting.

(global) # diagnose test application dnsproxy ?

worker idx: 0

1. Clear DNS cache

2. Show stats

3. Dump DNS setting

4. Reload FQDN

5. Requery FQDN

6. Dump FQDN

7. Dump DNS cache

8. Dump DNS DB

9. Reload DNS DB

10. Dump secure DNS policy/profile

11. Dump Botnet domain

12. Reload Secure DNS setting

13. Show Hostname cache

14. Clear Hostname cache

15. Show SDNS rating cache

16. Clear SDNS rating cache

17. DNS debug bit mask

99. Restart dnsproxy worker