DNS lookup failure(s) for Fortinet

Vendor

Fortinet

Description

Indeni will alert if the DNS resolution is not working on the device.

Remediation Steps

Review the cause for the DNS resolution not working.

1. Login via https to the Fortinet firewall and go to the menu Network> DNS to review the DNS configuration.

2. Login via ssh to the Fortinet firewall and review the system dns configuration.

3. Verify your DNS server IPs and routing. Ensure that your firewalls or routers do not block or proxy UDP port 53.

4. To verify your DNS service enter the following commands in the CLI: "execute traceroute " where is a domain name such as www.example.com. If the DNS query fails, an error message is received such as: traceroute: unknown host www.example.com

5. Login via ssh to the Fortinet firewall and troubleshoot the problem by using the "diag test application dnsproxy " where can be 1. Clear dns cache 2. Show stats 3. Dump DNS setting 4. Reload FQDN 5. Requery FQDN 6. Dump FQDN.

6. For more information review the next link: https://docs.fortinet.com/uploaded/files/2924/troubleshooting-54.pdf

How does this work?

This script logs into the Fortinet firewall through SSH and attempts to ping www.indeni.com. Before it can actually ping, the firewall must use the DNS to resolve www.indeni.com into an IP address. This script ONLY tests whether or not the DNS resolution succeeded. It does not test whether or not the actual ping was successful. Note that the DNS resolution may be using the local device DNS cache, in which case successful DNS resolution does not necessarily mean that the device DNS configuration is "correct".

Why is this important?

This script logs into the Fortinet firewall through SSH and attempts to ping www.indeni.com. Before it can actually ping, the firewall must use the DNS to resolve www.indeni.com into an IP address. This script ONLY tests whether or not the DNS resolution succeeded. It does not test whether or not the actual ping was successful. Note that the DNS resolution may be using the local device DNS cache, in which case successful DNS resolution does not necessarily mean that the device DNS configuration is "correct".

Without Indeni how would you find this?

An administrator would need to write a script to poll their firewalls for the data (force a resolution of a hostname), or simply troubleshoot once an issue occurs.


View Source Code