Technical Tip: How to enable and view logs for local-out DNS traffic

Logging for local-out DNS traffic can only be enabled by the CLI. However, the logs can be displayed via the GUI and CLI.

To enable the logging for local-out DNS queries,

config system dns
    set log {disable | error | all}
end

• disable: Disable. 
• error: Enable local DNS error log.
• all: Enable local DNS log.

By default, logging for local-out DNS traffic is disabled. Once the log settings under 'config system dns' are set to error or all, logs are visible:

Via GUI:

1. Navigate to Logs and Reports -> Security Events.
2. Select the Logs Tab from the top, and from the drop-down menu, select DNS Query.

View on GUI:

Via CLI:

Run the following commands:

execute log filter category 15

execute log display

Example:

Create a new address object:

config firewall address

    edit "dns_log_test"

        set type fqdn
        set fqdn "fortinet.ca"

    next

end

Display the local-out DNS log via CLI:

FGT_test# execute log filter category 15
FGT_test# execute log display

date=2025-10-22 time=11:26:25 eventtime=1756405585231183935 tz="-0700" logid="1501054805" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=0 sessionid=0 srcport=0 srcintf="unknown-0" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstcountry="United States" dstintf="unknown-0" dstintfrole="undefined" proto=17 xid=44 qname="fortinet.ca" qtype="A" qtypeval=1 qclass="IN" ipaddr="3.33.139.32" action="pass"