Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
titoff
New Contributor

Fortigate 200E:Recursive DNS not working for VPN SSL users

Hi,

Fortigate version: Version: FortiGate-200E v6.0.4

Problem:

I configured VPN SSL as explained in the cookbook as well as DNS for clients (the fortigate 200E) which is supposed to do recursive dns too.

 

The current situation: 

1/ For users transiting the firewall and who are NOT connected via SSL VPN, all is working as expected including recursive DNS.

2/ DNS resolution from the FW is also working as expected ie. "execute ping www.linode.com" , for example

3/ [NOT working] DNS resolution is not working for users connected via VPN SSL

 

The logs are below but basically when all's working as expected, you can see the whole resolution taking place ie. arrival of the packet, the recursive part to the distant dns server and the response. 

When not working, the dns request doesn't event get parsed as can be seen below, the sequence stops at "get_intf_policy()-892: ifindex=31" and the next sequence "[worker 0] dns_parse_message()-614" is missing.

 

-> I was suspecting a firewall policy issue but even after allowing all kinds of traffic through, it's still not working.

 

Any ideas, experiences or even a solution ;)

 

Thanks in advance

 

Logs on executing "diagnose debug application dns -1" (when not working): NOK

 

[worker 0] udp_receive_request()-2330 [worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=31, len=32, alen=16, 192.168.99.9:51745=>172.16.99.3 [worker 0] handle_dns_request()-1615: id:0xbd49 pktlen=32, qr=0 req_type=3 [worker 0] get_intf_policy()-892: ifindex=31 [worker 0] udp_receive_request()-2330 [worker 0] batch_on_read()-2688 [worker 0] udp_receive_request()-2330 [worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=31, len=33, alen=16, 192.168.99.9:52229=>172.16.99.3

Logs on executing "diagnose debug application dns -1" (when working): OK

 

[worker 0] udp_receive_request()-2385: vd=0, vrf=0, intf=38, len=36, alen=16, 172.16.199.190:53453=>172.16.99.3 [worker 0] handle_dns_request()-1615: id:0x6c31 pktlen=36, qr=0 req_type=3 [worker 0] get_intf_policy()-892: ifindex=38 [worker 0] dns_parse_message()-614 [worker 0] dns_nat64_update_request()-270 [worker 0] dns_local_lookup()-2223: vfid=0 qname=etsy.fr, qtype=1, qclass=1, offset=25, map#=2 max_sz=512 [worker 0] dns_lookup_aa_zone()-495: vfid=0, fqdn=etsy.fr [worker 0] dns_forward_request()-1056 [worker 0] dns_send_resol_request()-861: orig id: 0x316c local id: 0x0000 domain=etsy.fr [worker 0] dns_find_best_server()-375: vfid=0 profiled=0 last server 0.0.0.0 [worker 0] dns_send_resol_request()-967: Send 36B to 1.1.1.1:53 via fd=16 request:0 dns_num:7 [worker 0] dns_send_resol_request()-1010: fd=16 used source-ip: 99.99.99.10:4075 [worker 0] udp_receive_request()-2330 [worker 0] batch_on_read()-2688 [worker 0] udp_receive_response()-2546 [worker 0] udp_receive_response()-2569: vd-0: len=192, addr=1.1.1.1:53 [worker 0] dns_query_handle_response()-2025: id:0x802a domain=etsy.fr pktlen=192 [worker 0] dns_set_min_ttl()-182: QR: etsy.fr [worker 0] dns_set_min_ttl()-190: Offset of 1st RR: 25 Number of RR's: 6 [worker 0] dns_set_min_ttl()-200: RR TTL: 3600 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 158606 [worker 0] dns_set_min_ttl()-200: RR TTL: 0 [worker 0] dns_cache_response()-281: Min ttl = 10 [worker 0] dns_forward_response()-1272 [worker 0] dns_secure_forward_response()-1220: category=255 profile=none [worker 0] dns_visibility_log_hostname()-235: vd=0 pktlen=192 [worker 0] hostname_entry_insert()-140: af=2 domain=etsy.fr [worker 0] __dns_forward_response()-1123 [worker 0] __dns_forward_response()-1129: vd-0 Send 192B via fd=13, family=2 [worker 0] __dns_forward_response()-1132: set svf of fd to 0 [worker 0] __dns_forward_response()-1179: vd=0 send 192B response 172.16.99.3:53=>172.16.199.190:53453 [worker 0] dns_query_delete()-449: orgi id:0x316c local id:0x802a active tcp_req=(nil) [worker 0] udp_receive_response()-2546

 

 

 

 

 

 

3 REPLIES 3
Dave_Hall
Honored Contributor

I haven't seen the cookbook receipt in question, but it does sound like you need to set up Split-DNS.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
titoff

Thanks for replying Dave.

Unfortunately that did not work, however this worked:

 

config system dns-server

edit "ssl.root"

    set mode recursive next end

I had tried the above conf too but it did not work initially - so busy looking for what i changed in addition to that.

 

thx

 

 

 

titoff

Another remark / question about split-dns, how would one specify "all" for the domain option, as that can be and was my initial requirement.

 

Thx

 

Labels
Top Kudoed Authors