FortiGate “Deny: DNS Error”

Fortigate firewalls do inspect the data stream. This is also true for DNS (Domain Name Service).

Sometimes you will see the error:  “Deny: DNS error” in the logs

Having a closer look will show:

First of all you will see in the detailed logs in the fields threats and threattyps in both cases “failed-connection”. This is highly misleading.

Fortigate does inspect the DNS flow. The error “Deny: DNS error” means, that the response had a different flag set then “NOERROR”.

If there was a real connection problem, the error would be: “Deny: IP connection error“. This means, a packet was sent to the server, but the Fortigate never saw a response.

In simple words:

Deny: DNS error“: A response comes back from the DNS server. The Fortigate interprets the content of the answer as faulty.

Deny: IP connection error“:  In this case a packet was sent to the server, but a response has never been seen by the Fortigate.

A knowledge base article exists to clarify this subject: ⇒