Hot!Fortigate 200E:Recursive DNS not working for VPN SSL users

Author
titoff
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/25 09:51:21
  • Status: offline
2019/04/25 10:13:25 (permalink)
0

Fortigate 200E:Recursive DNS not working for VPN SSL users

Hi,
Fortigate version: Version: FortiGate-200E v6.0.4
Problem:
I configured VPN SSL as explained in the cookbook as well as DNS for clients (the fortigate 200E) which is supposed to do recursive dns too.
 
The current situation: 
1/ For users transiting the firewall and who are NOT connected via SSL VPN, all is working as expected including recursive DNS.
2/ DNS resolution from the FW is also working as expected ie. "execute ping www.linode.com" , for example
3/ [NOT working] DNS resolution is not working for users connected via VPN SSL
 
The logs are below but basically when all's working as expected, you can see the whole resolution taking place ie. arrival of the packet, the recursive part to the distant dns server and the response. 
When not working, the dns request doesn't event get parsed as can be seen below, the sequence stops at "get_intf_policy()-892: ifindex=31" and the next sequence "[worker 0] dns_parse_message()-614" is missing.
 
-> I was suspecting a firewall policy issue but even after allowing all kinds of traffic through, it's still not working.
 
Any ideas, experiences or even a solution ;)
 
Thanks in advance
 
Logs on executing "diagnose debug application dns -1" (when not working): NOK
 
[worker 0] udp_receive_request()-2330
[worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=31, len=32, alen=16, 192.168.99.9:51745=>172.16.99.3
[worker 0] handle_dns_request()-1615: id:0xbd49 pktlen=32, qr=0 req_type=3
[worker 0] get_intf_policy()-892: ifindex=31
[worker 0] udp_receive_request()-2330
[worker 0] batch_on_read()-2688
[worker 0] udp_receive_request()-2330
[worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=31, len=33, alen=16, 192.168.99.9:52229=>172.16.99.3



Logs on executing "diagnose debug application dns -1" (when working): OK
 
[worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=38, len=36, alen=16, 172.16.199.190:53453=>172.16.99.3
[worker 0] handle_dns_request()-1615: id:0x6c31 pktlen=36, qr=0 req_type=3
[worker 0] get_intf_policy()-892: ifindex=38
[worker 0] dns_parse_message()-614
[worker 0] dns_nat64_update_request()-270
[worker 0] dns_local_lookup()-2223: vfid=0 qname=etsy.fr, qtype=1, qclass=1, offset=25, map#=2 max_sz=512
[worker 0] dns_lookup_aa_zone()-495: vfid=0, fqdn=etsy.fr
[worker 0] dns_forward_request()-1056
[worker 0] dns_send_resol_request()-861: orig id: 0x316c local id: 0x0000 domain=etsy.fr
[worker 0] dns_find_best_server()-375: vfid=0 profiled=0 last server 0.0.0.0
[worker 0] dns_send_resol_request()-967: Send 36B to 1.1.1.1:53 via fd=16 request:0 dns_num:7
[worker 0] dns_send_resol_request()-1010: fd=16 used source-ip: 99.99.99.10:4075
[worker 0] udp_receive_request()-2330
[worker 0] batch_on_read()-2688
[worker 0] udp_receive_response()-2546
[worker 0] udp_receive_response()-2569: vd-0: len=192, addr=1.1.1.1:53
[worker 0] dns_query_handle_response()-2025: id:0x802a domain=etsy.fr pktlen=192
[worker 0] dns_set_min_ttl()-182: QR: etsy.fr
[worker 0] dns_set_min_ttl()-190: Offset of 1st RR: 25 Number of RR's: 6
[worker 0] dns_set_min_ttl()-200: RR TTL: 3600
[worker 0] dns_set_min_ttl()-200: RR TTL: 158606
[worker 0] dns_set_min_ttl()-200: RR TTL: 158606
[worker 0] dns_set_min_ttl()-200: RR TTL: 158606
[worker 0] dns_set_min_ttl()-200: RR TTL: 158606
[worker 0] dns_set_min_ttl()-200: RR TTL: 0
[worker 0] dns_cache_response()-281: Min ttl = 10
[worker 0] dns_forward_response()-1272
[worker 0] dns_secure_forward_response()-1220: category=255 profile=none
[worker 0] dns_visibility_log_hostname()-235: vd=0 pktlen=192
[worker 0] hostname_entry_insert()-140: af=2 domain=etsy.fr
[worker 0] __dns_forward_response()-1123
[worker 0] __dns_forward_response()-1129: vd-0 Send 192B via fd=13, family=2
[worker 0] __dns_forward_response()-1132: set svf of fd to 0
[worker 0] __dns_forward_response()-1179: vd=0 send 192B response 172.16.99.3:53=>172.16.199.190:53453
[worker 0] dns_query_delete()-449: orgi id:0x316c local id:0x802a active tcp_req=(nil)
[worker 0] udp_receive_response()-2546
 
 
 
 
 
 
#1

3 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1390
    • Scores: 150
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Fortigate 200E:Recursive DNS not working for VPN SSL users 2019/04/25 11:20:31 (permalink)
    0
    I haven't seen the cookbook receipt in question, but it does sound like you need to set up Split-DNS.
     
     

    Attached Image(s)


    NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
    #2
    titoff
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/25 09:51:21
    • Status: offline
    Re: Fortigate 200E:Recursive DNS not working for VPN SSL users 2019/04/26 05:53:56 (permalink)
    0
    Thanks for replying Dave.
    Unfortunately that did not work, however this worked:
     
    config system dns-server
    edit "ssl.root"
        set mode recursive
    next
    end


    I had tried the above conf too but it did not work initially - so busy looking for what i changed in addition to that.
     
    thx
     
     
     
    #3
    titoff
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/25 09:51:21
    • Status: offline
    Re: Fortigate 200E:Recursive DNS not working for VPN SSL users 2019/04/26 05:58:43 (permalink)
    0
    Another remark / question about split-dns, how would one specify "all" for the domain option, as that can be and was my initial requirement.
     
    Thx
     
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5