Fortiguard DNS servers are enforcing EDNS policies

Some of you may have noticed that a Fortigate – configured to use the FortiGuard DNS Servers – is not resolving some DNS names anymore.

Consequences can be that FQDN address objects can not be resolved or a configured mail server can not be used anymore.

You can doublecheck this behavior with the CLI:

# exec ping <some-dns-name>
Unable to resolve hostname.

If you take a closer look with nslookup (all necessary commands), you can see that the FortiGuard DNS Server anwers with a “SERVFAIL” to requests which are being answered without EDNS tags. This behaviour is correct and documented in RFC 6891. If you do the same check to the authotitative DNS server, the authoritative server itself sends a “FORMERR”. But sometimes also a “SERVFAIL” or “TIMEOUT”.

Reason for this is that the Fortiguard DNS server starts to enforce the EDNS policies. EDNS stands for Extension Mechanisms for DNS and is used for expanding the DNS protocol (refer to the Wikipedia article).

To check if your domain is EDNS compliant you can use this EDNS Compliance Tester.

EDNS compliance issues are usually caused by outdated DNS software. Updating the DNS software on the authoritative servers should fix this issue.

For a temporary workaround you can specify different DNS servers on your Fortigate (and your clients).

Fortinet has also created a KB article.


Leave a Reply

Your email address will not be published. Required fields are marked *