If you have trouble with the DNS filter profile in your policy, start with the following troubleshooting steps:
- Check the connection between the FortiGate and FortiGuard DNS rating server (SDNS server).
- Check that the FortiGate has a valid FortiGuard web filter license.
- Check the FortiGate DNS filter configuration.
You need to ensure the FortiGate can connect to the FortiGuard SDNS server. By default, the FortiGate uses UDP port 53 to connect to the SDNS server.
Verify the FortiGuard SDNS server information:
# diagnose test application dnsproxy 3 ... FDG_SERVER:18.104.22.168:53 FGD_CATEGORY_VERSION:8 SERVER_LDB: gid=6f00, tz=-420, error_allow=0 FGD_REDIR:22.214.171.124
The SDNS server IP address might be different depending on location (in this example, it is 126.96.36.199:53).
In the management VDOM, check the communication between the FortiGate and the SDNS server:
#execute ping 188.8.131.52
Optionally, you can check the communication using a PC on the internal network (this example uses dig).
Disable the DNS filter profile so that it does not affect your connection check.
Ping your ISP or a public DNS service provider's DNS server, for example, Google's public DNS server of 184.108.40.206:
#dig @220.127.116.11 www.fortinet.com
Or, specify the SDNS server as a DNS server:
#dig @18.104.22.168 www.fortinet.com
Verify that you can get a domain www.fortinet.com A record from the DNS server. This shows that the UDP port 53 connection path is not blocked.
#dig @22.214.171.124 www.fortinet.com ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35121 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.fortinet.com. IN A ;; ANSWER SECTION: www.fortinet.com. 289 IN CNAME fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51 IN A 126.96.36.199 fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51 IN A 188.8.131.52 ;; Received 129 B ;; Time 2019-04-29 14:13:18 PDT ;; From 184.108.40.206@53(UDP) in 13.2 ms
The FortiGuard DNS rating service shares the license with the FortiGuard web filter, so you must have a valid web filter license for the DNS rat