Fortigate “Deny: DNS error”

Post author:Peter Bruderer
Post published:24.03.2019
Post category:Fortinet

Fortigate firewalls do inspect the data stream. This is also true for DNS (Domain Name Service).

Sometimes you will see the error: “Deny: DNS error” in the logs

Having a closer look will show:

First of all you will see in the detailed logs in the fields threats and threattyps in both cases “failed-connection”. This is highly misleading.

Fortigate does inspect the DNS flow. The error “Deny: DNS error” means, that the response had a different flag set then “NOERROR”.

If there was a real connection problem, the error would be: “Deny: IP connection error“. This means, a packet was sent to the server, but the Fortigate never saw a response.

In simple words:

“Deny: DNS error“: A response comes back from the DNS server. The Fortigate interprets the content of the answer as faulty.

“Deny: IP connection error“: In this case a packet was sent to the server, but a response has never been seen by the Fortigate.

A knowledge base article exists to clarify this subject: ⇒https://kb.fortinet.com/kb/documentLink.do?externalID=FD39982

Tags: FortiGate

You Might Also Like

Fortigate Firewall Performance Troubleshooting

IGMP Querier with Managed FortiSwitches

Addresses used by Fortinet