Resolve DNS Forwarder status failures

In Security Connector, you can view the health and traffic statistics of DNS Forwarder. You can also view information about DNS Forwarder.

DNS Forwarder information

This area of the console shows how Security Connector transports and resolves traffic based on your current configuration.

InformationDescription
Primary Connection to DNS CloudShows the communication protocol that‚Äôs used to direct traffic to ‚ÄčSIA‚Äč.
Secondary Connection to DNS CloudIf the primary connection fails, the secondary connection is used. This shows the communication protocol that‚Äôs used to direct traffic to ‚ÄčSIA‚Äč.
Resolver for Internal QueriesShows the resolver that you configured for internal traffic.
Fallback Resolver (when DNS Cloud not reachable)When ‚ÄčSIA‚Äč (DNS Cloud) is not reachable, this resolver is used. This is the DNS server that you configured in Security Connector.

Health status

This table describes health checks that are completed for DNS Forwarder and the mitigation steps that are suggested to resolve a failure. If you cannot resolve an issue, contact ‚ÄčAkamai‚Äč Support.

To view the DNS Forwarder health status, see View DNS Forwarder health status.

OperationDescriptionResolution to Failure
Enterprise Resolver ReachabilityChecks to see that corporate DNS resolvers are reachable.
  • Review the DNS Name Server configuration.
  • Confirm that corporate DNS resolvers are available.
Primary DNS Cloud ConnectivityChecks to see whether DNS Forwarder can communicate with SIA. In the DNS Forwarder Info area, the protocol and method used to communicate with SIA, such as TCP and DoT is shown

If your organization uses DNS protection for China, this area indicates that DoT for China is used.
  • Confirm that your organization's firewall allows traffic from DNS Forwarder.

  • Confirm that your firewall allows outbound TCP port 443 or 853 for hostname .dot.dns.akasecure.net with dot as the ALPN. The port number depends on the port that you configured for DoT in Security Connector. This configuration is required for DoT connections.

Note: If you are using Security Connector to protect DNS traffic in China, make sure you allow TCP port 443 or 853 for the hostname .dot.tl53.net. The port number depends on the port that you configured for DoT in Security Connector.
Secondary DNS Cloud ConnectivityChecks to see whether the secondary connection to SIA is working. The secondary connection is used only if the primary connection fails.
  • Confirm that your organization's firewall allows traffic from DNS Forwarder.

  • Confirm that your firewall allows outbound UDP port 53 for Anycast IPs.

Note: If you are using Security Connector to protect DNS traffic in China, check TLS connectivity for .dot.dns.akasecure.net with dot as the ALPN. The TCP port (443 or 853) you allow depends on the port you configure for DoT in Security Connector.
DNS Resolver Loop CheckChecks that the primary and secondary DNS Forwarders do not send traffic to one another as a result of misconfiguration.

This operation also confirms that your corporate resolver does not forward requests to DNS Forwarder.

If a loop is detected, the IP address of the server where the loop occurs is listed.
  • Review the configuration of the en2 interface (formerly the management interface).
  • Make sure that your corporate DNS servers direct requests to ‚ÄčSIA‚Äč DNS and do not send requests to the DNS Forwarder.