This article describes how to check if FortiGuard DNS servers are sending EDNS Client Subnet (ECS) information in their queries.
Scope
FortiGate v5.X, v6.X and v7.X.
Solution
Normal DNS queries are small, under 512 bytes, and can be accommodated in small UDP packets. EDNS allows us to send DNS data in bigger size packets over UDP. Both DNS server and network environment must be able to support bigger packet size and numerous fragments.
It is possible to check using DIG in Linux. As an example:
dig @8.8.8.8 +subnet=74.123.206.0/24 www.google.com ; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @8.8.8.8 +subnet www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40552 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; CLIENT-SUBNET: 74.123.206.0/24/21 ;; QUESTION SECTION:
It is possible to change 8.8.8.8 to FortiGuard Server IP.