Skip to main content
mbanica
Staff
mbanica
Staff
October 24, 2025

Technical Tip: FortiGate generating periodic DNS queries for the root zone (.)

  • October 24, 2025
  • 0 replies
  • 448 views
Description This article discusses on how FortiGate units may periodically generate DNS queries for the root zone ('.') toward the configured system DNS servers.
These queries can appear in DNS server logs as unusual or invalid and may trigger alerts or cause minor performance degradation on internal DNS resolvers.
This behavior is expected and originates from the FortiGate’s internal dnsproxy process, which handles system-level DNS lookups such as FortiGuard connectivity checks and FQDN object resolution.
Scope All FortiGate models and FortiOS versions, including standalone and HA deployments, when system DNS servers are defined under config system dns.
Solution

This behavior is normal and does not indicate a malfunction or security issue.
The dnsproxy process periodically sends root ('.') DNS queries as part of its cache validation and reachability tests.

Options to reduce alerts or impact:

  1. If the FortiGate uses internal DNS servers, configure the resolver to silently ignore or de-prioritize root ('.') queries.

  2. Alternatively, configure the FortiGate to use public DNS resolvers (for example, 1.1.1.1 or 8.8.8.8) for system DNS lookups, sourced from the management interface.

  3. In HA environments with ha-mgmt-interfaces enabled, each unit may independently generate these queries—this is expected.
Terms & ConditionsAccessibility statement