Resolve DNS Forwarder status failures
In Security Connector, you can view the health and traffic statistics of DNS Forwarder. You can also view information about DNS Forwarder.
DNS Forwarder information
This area of the console shows how Security Connector transports and resolves traffic based on your current configuration.
Information | Description |
---|---|
Primary Connection to DNS Cloud | Shows the communication protocol that’s used to direct traffic to SIA. |
Secondary Connection to DNS Cloud | If the primary connection fails, the secondary connection is used. This shows the communication protocol that’s used to direct traffic to SIA. |
Resolver for Internal Queries | Shows the resolver that you configured for internal traffic. |
Fallback Resolver (when DNS Cloud not reachable) | When SIA (DNS Cloud) is not reachable, this resolver is used. This is the DNS server that you configured in Security Connector. |
Health status
This table describes health checks that are completed for DNS Forwarder and the mitigation steps that are suggested to resolve a failure. If you cannot resolve an issue, contact Akamai Support.
To view the DNS Forwarder health status, see View DNS Forwarder health status.
Operation | Description | Resolution to Failure |
---|---|---|
Enterprise Resolver Reachability | Checks to see that corporate DNS resolvers are reachable. |
|
Primary DNS Cloud Connectivity | Checks to see whether DNS Forwarder can communicate with SIA. In the DNS Forwarder Info area, the protocol and method used to communicate with SIA, such as TCP and DoT is shown If your organization uses DNS protection for China, this area indicates that DoT for China is used. |
Note: If you are using Security Connector to protect DNS traffic in China, make sure you allow TCP port 443 or 853 for the hostname .dot.tl53.net. The port number depends on the port that you configured for DoT in Security Connector. |
Secondary DNS Cloud Connectivity | Checks to see whether the secondary connection to SIA is working. The secondary connection is used only if the primary connection fails. |
Note: If you are using Security Connector to protect DNS traffic in China, check TLS connectivity for .dot.dns.akasecure.net with dot as the ALPN. The TCP port (443 or 853) you allow depends on the port you configure for DoT in Security Connector. |
DNS Resolver Loop Check | Checks that the primary and secondary DNS Forwarders do not send traffic to one another as a result of misconfiguration. This operation also confirms that your corporate resolver does not forward requests to DNS Forwarder. If a loop is detected, the IP address of the server where the loop occurs is listed. |
|
Updated 6 months ago