Technical Tip: DNS behavior in an HA cluster

In a HA cluster environment, only the primary role unit would use the configured DNS server for name resolution. The standby role unit will use the primary unit for its name resolution.

In the following example, FG01 is the primary unit, and FG02 is the secondary unit.

get sys ha status

Below are the DNS settings.

FG01 DNS settings FG02 DNS settings

From 'diagnose test application dnsproxy 2', FG01 shows the DNS servers:

FG01 diagnose test application dnsproxy 2

On FG02, it shows 169.254.0.2, which is the IP of FG01 port_ha.

FG02 diagnose test application dnsproxy 2

DNS traffic is present on the heartbeat interface in a FortiGate HA setup, as the secondary FortiGate uses the heartbeat IP to send DNS queries to the primary for name resolution.

For example, when FortiAnalyzer Cloud is configured for cloud logging, the secondary FortiGate, even while in passive mode, continues to send DNS requests to the primary over the heartbeat link to resolve cloud service names.

2025-12-08 15:53:49.149080 port_ha in 169.254.0.2.3206 -> 169.254.0.1.53: udp 81
2025-12-08 15:53:49.149085 port_ha out 169.254.0.2.3206 -> 169.254.0.1.53: udp 81
2025-12-08 15:53:49.819570 port_ha in 169.254.0.1.53 -> 169.254.0.2.3206: udp 156

Note: Same DNS behavior with Virtual cluster 2 enabled in multi-vdom setup, where FG02 is Primary for another VDOM.

Example output:

Primary unit: VC1 for VDOM root.

FG3H1E-2 (global) # diagnose test application dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=3 server=96.45.46.46 latency=1 updated=748
vfid=3 server=8.8.8.8 latency=1 updated=2624
vfid=3 server=10.109.3.14 latency=1 updated=2663
SDNS latency info:
DNS_CACHE: alloc=6, hit=3740
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=0
DNS UDP: req=7371 res=5455 fwd=5582 cmp=997 retrans=2462 to=1747
         cur=7 switched=1206116 num_switched=1
         v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0, to=0

DNS TCP connections:

DNS UNIX streams: cfd=37 cfd=38 cfd=35 cfd=36
FQDN: alloc=12 nl_write_cnt=13856 nl_send_cnt=28570 nl_cur_cnt=0
Botnet: searched=0 hit=0

FG3H1E-2 (global) # exe ha manage
<id>    please input peer box index.
<0>     Subsidiary unit FG3H1xxxxxxxxxx

FG3H1E-2 (global) # execute ha manage 0 admin
Warning: Permanently added '169.254.0.1' (ECDSA) to the list of known hosts.
admin@169.254.0.1's password:
FG3H1E-1 # config global

Secondary unit: VC2 Primary for the VDOM test.

FG3H1E-1 (global) # diagnose test application dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=3 server=169.254.0.2 latency=2 updated=37
SDNS latency info:
DNS_CACHE: alloc=5, hit=5403
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=1
DNS UDP: req=40744 res=25384 fwd=25482 cmp=15211 retrans=5489 to=42
         cur=37 switched=28380434 num_switched=105
         v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0, to=0

DNS TCP connections:

DNS UNIX streams: cfd=38 cfd=35 cfd=36 cfd=37
FQDN: alloc=12 nl_write_cnt=11311 nl_send_cnt=23182 nl_cur_cnt=2
Botnet: searched=0 hit=0