Resolve DNS Forwarder status failures

In Security Connector, you can view the health and traffic statistics of DNS Forwarder.

Health status

This table describes health checks that are completed for DNS Forwarder and the mitigation steps that are suggested to resolve a failure. If you cannot resolve an issue, contact ‚ÄčAkamai‚Äč Support.

To view the DNS Forwarder health status, see View DNS Forwarder health status.

OperationDescriptionResolution to Failure
Enterprise Resolver ConfigurationChecks to see whether corporate resolvers are configured as Security Connector DNS name serversMake sure that you configure the corporate resolvers as the Security Connector DNS name servers. For more information, see Configure DNS name servers.
Enterprise Resolver ReachabilityChecks to see that corporate DNS resolvers are reachable.

  • Review the DNS Name Server configuration.
  • Confirm that corporate DNS resolvers are available.
‚ÄčAkamai‚Äč DNS Resolver TCP ConnectivityChecks that DNS Forwarder can reach ‚ÄčSIA‚Äč Cloud using TCPTCP connectivity issues are likely related to your firewall configuration. Confirm that your organization's firewall allows traffic from DNS Forwarder.
‚ÄčAkamai‚Äč DNS Resolver DoT Engine StatusChecks that DNS Forwarder can establish a TLS connection with ‚ÄčSIA‚Äč Cloud for DoT.

  • Confirm that your firewall allows outbound TCP port 443 or 853 for hostname .akaetp.net with dot as the ALPN. The port number depends on the port that you configured for DoT in Security Connector. This configuration is required for DoT connections.
  • Review the configuration of the management interface.
DNS Resolver Loop CheckChecks that the primary and secondary DNS Forwarders do not send traffic to one another as a result of misconfiguration.

This operation also confirms that your corporate resolver does not forward requests to DNS Forwarder.

If a loop is detected, the IP address of the server where the loop occurs is listed.

  • Review the configuration of the management interface.
  • Make sure that your corporate DNS servers direct requests to ‚ÄčSIA‚Äč DNS and do not send requests to the DNS Forwarder.