[dns-operations] Fortinet contact? Problems with their public resolvers

Klaus Darilion klaus.mailinglists at pernau.at
Wed Jun 13 12:20:46 UTC 2018



Am 13.06.2018 um 13:23 schrieb Casper Gielen:
> Op 12-06-18 om 18:12 schreef Klaus Darilion:
>> Does somebody have a contact to Fortinet admins? We do see a strange
>> problem (effecting Fortinet customers using Fortinet's resolver).
>>
>> Their resolvers quite often return SERVFAIL for DNSSEC signed zones, and
>> we are quite sure that the zones are signed correct and the
>> authoritative name servers respond correct (see below).
> 
> I think I encountered the same problem this morning.
> 
> The main issue is that some queries fail while queries for other records
> in the same zone fail. For example, asking for "NS" records would fail
> while an "A" record would succeed.
> 
> The problem seemed to be related to the type of query and not to the
> zone queried; all zones hosted on the server showed the same problem.
> 
> My packet sniffer shows that IP-packets seem tot dissappear in both
> directions (to and from the DNS-servers).
> 
> The problems stopped when our netwerk team disabled all processing of
> DNS-traffic by the Fortiddos appliance. Unfortunately our Fortinet
> expert was not available to drill down into the details.


It seems a bit weird that Fortinet does preconfigure all their
appliances with the Fortinet DNS resolvers, but they are actually quite
bad. Only located in the US, very often no responses at all
(overloaded?), and they also do some "intelligence". E.g. whatever RR
you ask their resolver, you see on the authoritative name server the
query for the requested RR from the resolver, AND a query for A and AAAA
from some other Fortinet IP address.

Klaus



More information about the dns-operations mailing list