Some of you may have noticed that a Fortigate – configured to use the FortiGuard DNS Servers – is not resolving some DNS names anymore.
Consequences can be that FQDN address objects can not be resolved or a configured mail server can not be used anymore.
You can doublecheck this behavior with the CLI:
# exec ping <some-dns-name> Unable to resolve hostname.
Reason for this is that the Fortiguard DNS server starts to enforce the EDNS policies. EDNS stands for Extension Mechanisms for DNS and is used for expanding the DNS protocol (refer to the Wikipedia article).
To check if your domain is EDNS compliant you can use this EDNS Compliance Tester.
EDNS compliance issues are usually caused by outdated DNS software. Updating the DNS software on the authoritative servers should fix this issue.
For a temporary workaround you can specify different DNS servers on your Fortigate (and your clients).
864 total views, 9 views today