Hot!Fortigate 100D Fortios 5.4.1 Deny: DNS error

Page: 12 > Showing page 1 of 2
Author
Akononov
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/04 07:00:48
  • Status: offline
2016/07/11 09:14:30 (permalink)
0

Fortigate 100D Fortios 5.4.1 Deny: DNS error

Hello!
After upgrade our 100D, in Forward traffic we can see messages:
IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan1
ApplicationNameUnknownCategoryunscannedProtocoludp
ActionActionDeny: DNS error 
AND
 
IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan2
ApplicationNameUnknownCategoryunscannedProtocoludp
ActionActionDeny: IP connection error
#1
Akononov
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/04 07:00:48
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/08/08 01:09:16 (permalink)
0
Hi! 
This problem only for me?
#2
kwik
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/09/19 12:18:57
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/09/05 13:27:59 (permalink)
0
Nope, I've also the same 100D on 5.4.1 and the DNS error.
Loading webpage takes a minutes (do you also have this behaviour?)
 
Did you find a solution ?
 
 
post edited by kwik - 2016/09/05 13:30:28
#3
MikePruett
Platinum Member
  • Total Posts : 702
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/09/05 19:13:02 (permalink)
0
Do you have any layer 7 applied to the policy that is letting DNS out?
#4
kwik
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/09/19 12:18:57
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/09/05 23:20:25 (permalink)
0
No security features are activatie on the separate dns rule.
#5
Jeroen
Bronze Member
  • Total Posts : 52
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/11/27 08:36:44
  • Location: The Netherlands
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/10/13 07:11:55 (permalink)
0
luk.scheepers
No security features are activatie on the separate dns rule.



Did you ever find a solution to the problem? I have the same problem on a 100D model. Even when al IPS/APP are deactivated.
#6
gsarica
Bronze Member
  • Total Posts : 60
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/10/13 07:30:38 (permalink)
0
We're seeing the same messages, also show up as threats in the FortiView area as 'Failed Connection Attempts'. I have an active ticket opened with support, been going back and forth with some testing.
 
Edit: Also a Fortigate 100D with 5.4.1.
#7
MikePruett
Platinum Member
  • Total Posts : 702
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/10/13 09:03:11 (permalink)
0
I am now officially in the same boat. Have a client running a 60D w/ 5.4.1 and it is seeing a lot of these. Weird stuff.
 
Nothing looks out of the ordinary on debugs so far.
#8
gsarica
Bronze Member
  • Total Posts : 60
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/10/13 09:19:30 (permalink)
0
Other things to note, not sure if any of you have similar setups that may be causing this:
 
-We're running dual WAN with load balancing. I see the issue with both WAN interfaces though in the logs so that doesn't seem to be it.
-We're also using OpenDNS as our DNS provider.
-I also see the source interface is sometimes LAN which would be correct and also sometimes 'unknown-0'. Not sure what that means at all.
#9
gsarica
Bronze Member
  • Total Posts : 60
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2016/10/13 12:37:07 (permalink)
0
I got this response from support, though we're hesitant to delete any session helpers:
 

By design FortiGate looks for invalid/failed DNS traffic and will mark it as action=dns or in the GUI as "Action Deny: DNS error". This happens if the DNS query is not successful returns any other status than NOERROR. 

This is an expected behavior in version 5.4 where the firewall logs any invalid DNS traffic. The firewall action itself is allow/pass, but the bad reply from the server is not forwarded back to the requesting client thus showing the "Deny: DNS Error" message. Invalid DNS traffic would be i.e. UDP packets on port 53 that are not DNS traffic, packets are over sized, bad checksum etc. 

** Can you try to delete the dns session helper from session-helper configuration: 

How session helper works: 
The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to. Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. It can happen that the information expected by the security policy is not contained in the header/payload of the packet and that is when the packet is denied or dropped; session helper for DNS is not mandatory for which reason you can delete it and it should work properly after. 

DELETE: 
#config system session-helper 
#show 
find the one for DNS and than edit it by giving the number) 

#edit 14 <---- I checked on the remote session it is "14" 
#set name dns-udp 
set protocol 17 
set port 53 
next 

#delete 14 <------ 
end 

Explanation on Deny: IP connection error: 
This is already known issue in 5.4.X and developers is still working on this issue. 



#10
IUseFGT
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/14 08:29:40
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/01/16 21:05:29 (permalink)
0
Can you post your config to further assist.
 
Please make sure you are allowing http, https, dns, ntp, and port 8888 at a minimum from your internal to wan.
 
Also, I would recommend going to system, fortiguard.  Make sure under fortiguard filtering port is set to 8888.  
 
If you have any other interfaces, I would make sure they also have http, https, dns, and ntp allowed to wan.
 
In addition, I would recommend setting your FGT dns to the closest server to you.  I have had the best luck if an internal dns is used and then place forwarders in active directory dns to whatever dns you want.  Example, if you use Comcast, use their dns servers in FGT.  Also, place any other network dns to the closest dns server.  Example, If you have a separate wifi interface, specify that same dns server.  Example, Comcast is 75.75.75.75.
 
Waiting to receive your config if you are still having problems. 
#11
Alby23
Gold Member
  • Total Posts : 165
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/06/24 08:57:33
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/01/17 03:51:02 (permalink)
0
Possible malformed/invalid DNS requests?
#12
Holy
Gold Member
  • Total Posts : 175
  • Scores: 6
  • Reward points: 0
  • Joined: 2014/08/07 03:56:56
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/01/25 12:40:24 (permalink)
0
pretty the same errors on 13 FortiGate 50E branches. our FortiAnalyzer is now full of this errors.
 
will also open a ticket today.

NSE 8 
NSE 1 - 7
 
#13
Holy
Gold Member
  • Total Posts : 175
  • Scores: 6
  • Reward points: 0
  • Joined: 2014/08/07 03:56:56
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/01/27 13:54:02 (permalink)
0
Here is the Answer from Fortinet.
 
Dear customer, 

Thank you for contacting Fortinet Technical Support. 
My name *** and I will assist you with this issue. 

You will see the following errors if the conditions are met: 

1. DNS Queries -- DNS query returns anything but NOERROR. 
"action" in log is "dns" 

By design FortiGate looks for invalid/failed DNS traffic and will mark it as action=dns or in the GUI as "Action Deny: DNS error". 

This happens if the DNS query is not successful returns any other status than NOERROR. 
This is an expected behavior in version 5.4 where the firewall logs any invalid DNS traffic. 
The firewall action itself is allow/pass, but the bad reply from the server is not forwarded back to the requesting client thus showing the "Deny: DNS Error" message. 
--- 

2. Host not reachable -- If trying to reach an IP address that do not respond. 
"action" in log is "ip-conn" 
--- 
In both cases of your logs the connection actually allowed by the firewall, for DNS you receive anything but NOERROR and for IP connection error, the destination host does not respond. 

Please let me know whether you need further assistance or the ticket can be closed. 
 
 
 
After that i did some Traffic Capture and we looked on it.
 
in deed there were many errors because of for example a DNS Suffix. 
 
 
Dear customer, 

As stated in the above answers your requests 

in your provided packet capture from the firewall there are 106 DNS packets. 
87 have been returned with NOERROR 
19 have been returned with "No such name". 
That is about 18% non successful requests and are leading to the messages you question. 

From my point of view it is exactly behaving as I explained. 

For your reference a couple of examples below: 

2 2017-01-27 12:42:13.143902 172.16.1.1 172.16.4.200 DNS 164 Standard query response 0x35a0 No such name A wpad.stuttgart.****.local SOA dc01.*****.local 

NSE 8 
NSE 1 - 7
 
#14
ARPi
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/12 02:30:58
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/01/31 16:45:26 (permalink)
0
Hi, ran into the same error on two different FTG deployments, of one which we had to roll back the deployment because there were lots of incidents. Nearly no DNS resolving was succesful.
 
So, do the Fortinet replies imply that either;
1. DNS is incorrectly configured (and thus Fortinet is helping you improve your DNS configuration) because this is expected behaviour in FortiOS 5.4
2. this is too much of an advanced or assisting feature that you might aswell disable it (session helper option) ?
 
How does this help us solve the issue at hand on the FTG ? Or is it not the FTG the issue should be solved on ?
 
@Holy and @gsarica how did you solve this DNS Error issue at your end ?
#15
gsarica
Bronze Member
  • Total Posts : 60
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/02/01 05:40:35 (permalink)
0
We didn't resolve this. Support sent us the following:
 

 
** Can you try to delete the dns session helper from session-helper configuration: 

How session helper works: 
The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to. Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. It can happen that the information expected by the security policy is not contained in the header/payload of the packet and that is when the packet is denied or dropped; session helper for DNS is not mandatory for which reason you can delete it and it should work properly after. 

DELETE: 
#config system session-helper 
#show 
find the one for DNS and than edit it by giving the number) 

#edit 14 <---- I checked on the remote session it is "14" 
#set name dns-udp 
set protocol 17 
set port 53 
next 

#delete 14 <------ 
end

 
We haven't tried this though since we're hesitant to straight up delete anything without being able to test first (it's our only production firewall).
#16
tmazowski
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/20 10:55:42
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/03/21 07:20:18 (permalink)
0
We were having similar problems with a FortiGate not being able to resolve DNS names, and thus not being able to connect to FortiGuard. Here is what solved our issue.
(names/IPs changed to protect the innocent)
 
FORTIGATE # config sys dns
 
FORTIGATE (dns) # get
primary             : 169.254.253.252
secondary           : 169.254.252.253
domain              : null.com
ip6-primary         : ::
ip6-secondary       : ::
dns-cache-limit     : 5000
dns-cache-ttl       : 1800
cache-notfound-responses: disable
source-ip           : 10.1.2.3 (** this is the LAN/Internal IP)
 
##Updated the Source IP to 0.0.0.0: 
FORTIGATE (dns) # set source-ip 0.0.0.0
 
#17
whizzard
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/11/30 19:27:37
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/03/21 08:43:49 (permalink)
0
Mine already has that source IP and we are still getting the error.
post edited by whizzard - 2017/03/21 08:46:12
#18
MikePruett
Platinum Member
  • Total Posts : 702
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/03/21 10:31:40 (permalink)
0
I created some new security sensors to replace the ones that I already had and it resolved the issues in my case.
#19
lmccuistian
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/21 11:58:22
  • Status: offline
Re: Fortigate 100D Fortios 5.4.1 Deny: DNS error 2017/03/22 04:59:10 (permalink)
0
I'm have the same issue on my Fortigate 100E FortiOS 5.4.4.  I tried deleting the session helper, without luck (but it didn't seem to hurt anything either).  I also verified my DNS Source IP is 0.0.0.0 already too.
 
@MikePruett, you stated you created some new security sensors. Are you saying you created new security profiles (AV, Web Filter, App Control, Etc..) across the board, or just for the ones that tied to a policy for DNS traffic?
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5