In Security Connector, you can view the health and traffic statistics of DNS Forwarder. You can also view information about DNS Forwarder.

DNS Forwarder information

This area of the console shows how Security Connector transports and resolves traffic based on your current configuration.

Information	Description
Primary Connection to DNS Cloud	Shows the communication protocol that’s used to direct traffic to SIA.
Secondary Connection to DNS Cloud	If the primary connection fails, the secondary connection is used. This shows the communication protocol that’s used to direct traffic to SIA.
Resolver for Internal Queries	Shows the resolver that you configured for internal traffic.
Fallback Resolver (when DNS Cloud not reachable)	When SIA (DNS Cloud) is not reachable, this resolver is used. This is the DNS server that you configured in Security Connector.

Health status

This table describes health checks that are completed for DNS Forwarder and the mitigation steps that are suggested to resolve a failure. If you cannot resolve an issue, contact Akamai Support.

To view the DNS Forwarder health status, see View DNS Forwarder health status.

Operation	Description	Resolution to Failure
Enterprise Resolver Reachability	Checks to see that corporate DNS resolvers are reachable.	Review the DNS Name Server configuration. Confirm that corporate DNS resolvers are available.
Primary DNS Cloud Connectivity	Checks to see whether DNS Forwarder can communicate with SIA. In the DNS Forwarder Info area, the protocol and method used to communicate with SIA, such as TCP and DoT is shown If your organization uses DNS protection for China, this area indicates that DoT for China is used.	Confirm that your organization's firewall allows traffic from DNS Forwarder. Confirm that your firewall allows outbound TCP port 443 or 853 for hostname `.dot.dns.akasecure.net` with `dot` as the ALPN. The port number depends on the port that you configured for DoT in Security Connector. This configuration is required for DoT connections. Note: If you are using Security Connector to protect DNS traffic in China, make sure you allow TCP port 443 or 853 for the hostname `.dot.tl53.net`. The port number depends on the port that you configured for DoT in Security Connector.
Secondary DNS Cloud Connectivity	Checks to see whether the secondary connection to SIA is working. The secondary connection is used only if the primary connection fails.	Confirm that your organization's firewall allows traffic from DNS Forwarder. Confirm that your firewall allows outbound UDP port 53 for Anycast IPs. Note: If you are using Security Connector to protect DNS traffic in China, check TLS connectivity for `.dot.dns.akasecure.net` with `dot` as the ALPN. The TCP port (443 or 853) you allow depends on the port you configure for DoT in Security Connector.
DNS Resolver Loop Check	Checks that the primary and secondary DNS Forwarders do not send traffic to one another as a result of misconfiguration. This operation also confirms that your corporate resolver does not forward requests to DNS Forwarder. If a loop is detected, the IP address of the server where the loop occurs is listed.	Review the configuration of the en2 interface (formerly the management interface). Make sure that your corporate DNS servers direct requests to SIA DNS and do not send requests to the DNS Forwarder.