FortiGuard DNS problems: "no available Fortiguard SDNS servers" & "A rating error occurs"

TecnetRuss · ‎06-04-2020

We're noticing this problem across multiple clients this morning. Any users using Internet access policies with a DNS Filter profile enabled are blocked from accessing the Internet. The DNS Query logs show constant failures with:

[ul]

Error: no available Fortiguard SDNS servers

Message: A rating error occurs[/ul]

The FortiGuard page shows two green "check" status indicators and "diag debug rating" doesn't show any obvious errors.

This is not a config problem. This has happened simultaneously across multiple FortiGates with known good working configs and no recent config changes. Changing the FortiGuard protocol and port between UDP and HTTPS, 53, 443 and 8888 doesn't seem to make a difference. The only solution is to either remove the DNS Filter profile from the policies or set "Allow DNS requests when a rating error occurs" to enabled in the DNS Filter profiles - then traffic starts flowing again.

This seems pretty clearly to be a back-end FortiGuard DNS problem. Anyone else seeing this? Any official acknowledgement of any FortiGuard DNS problems?

Russ

NSE7

dpreston · ‎06-04-2020

We have, same description.

Temp fix for us was to disengage DNS filter component on the IPv4 policy referenced in the log entry.

TecnetRuss · ‎06-04-2020

The problem resolved itself for us at around 12:41 PM Pacific according to my DNS Query logs:

12:41:15 - ERROR- "Message: A rating error occurs" (last error)

12:41:25 - OK - "Message: Domain belongs to a denied category in policy" (no errors from this point forward)

Russ

NSE7

RB4523 · ‎06-14-2020

We had the same issue the last few days, the following finally got DNS Filtering working again.

config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 set sdns-server-ip 208.91.112.220 end

Fortigate 6.4.1

N4pst3r · ‎07-25-2020

x3

Had the same issue on FortigateVM running FortiOS 6.4.1 and on a non administrative vdom, in this case "set source-ip" is needed

config system fortiguard set port 8888 set fortiguard-anycast disable set sdns-server-ip "208.91.112.220" set source-ip 138.118.8.4

Yurisk · ‎01-05-2021

Just to confirm that solved my case too - browsing slowness due to DNS Filtering high response times. Disabled anycast, this automatically caused additional 4 Fortiguard IPs to appear in the list.

The default IP of 172.243.138.221 was showing 450 msec response time in Network -> DNS. After disabling anycast, the best server IP gives just 40 msec!

Thx for the pointer.

FGT 200E 6.4.4

Yuri Slobodyanyuk

Ashishdeep · ‎10-14-2024

DNS rating error occurs (no available For... - Fortinet Community

FortiGuard DNS problems: "no available Fortiguard SDNS servers" & "A rating error occurs"

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website