| Solution | When FortiGate operates as a DNS server (System DNS, DNS Filter, FQDN objects, or SDNS), the dnsproxy daemon handles DNS queries. Use 'diagnose test application dnsproxy 3' to display runtime statistics of the DNS proxy process, including: FGT-1 # diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
195.121.1.34:53 vrf=0 tz=0 encrypt=none req=10602 to=0 res=10604 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
195.121.1.66:53 vrf=0 tz=0 encrypt=none req=10540 to=0 res=10541 rt=24 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.45.45:853 vrf=0 tz=0 encrypt=dot req=12648 to=139 res=12518 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:853 vrf=0 tz=0 encrypt=dot req=10907 to=10 res=10901 rt=5 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
173.243.140.53:853 vrf=0 tz=60 encrypt=dot req=0 to=0 res=0 rt=3 ready=1 timer=0 probe=0 failure=0 last_failed=0
139.138.105.53:853 vrf=0 tz=60 encrypt=dot req=0 to=0 res=0 rt=7 ready=1 timer=0 probe=0 failure=0 last_failed=0
ALT servers:
VRF selected: 0
Interface selecting method: auto
Specified interface:
FortiGuard VRF selected: 0
FortiGuard interface selecting method: auto
FortiGuard specified interface: DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=11 udp_c=17:18 ha_c=22 unix_s=6, unix_nb_s=23, unix_nc_s=7
v6_udp_s=12, v6_udp_c=20:21, snmp=24, redir=13, v6_redir=14
DNS FD: tcp_s=26, tcp_s6=27, redir=28 v6_redir=29
DNS UNIX FD: dnsproxy_un=30
FQDN: min_refresh=60 max_refresh=3600
FGD_DNS_SERVICE_LICENSE:
server=173.243.140.53:853, expiry=2027-02-20, expired=0, type=2
server=139.138.105.53:853, expiry=2027-02-20, expired=0, type=2
FGD_CATEGORY_VERSION:10
SERVER_LDB: gid=4507, tz=60, error_allow=0
FGT SERIAL NUMBER: FGT90GTK13000629
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2620:101:9000:53::55] To decode this field by field: DNS Section: 195.121.1.34:53 vrf=0 tz=0 encrypt=none req=10602 to=0 res=10604 rt=1 ready=1 | Field | Meaning | What it Measures | | **req** | Requests sent. | DNS queries FortiGate forwarded. | | **res** | Responses received. | Replies from the DNS server. | | **to** | Timeouts. | Queries with NO reply. | | **rt** | Round-trip time. | Average latency (ms). | | **ready** | Server usability. | 1 = usable. | SDNS Section:
173.243.140.53:853 vrf=0 tz=60 encrypt=dot req=0 to=0 res=0 rt=3 ready=1
139.138.105.53:853 vrf=0 tz=60 encrypt=dot req=0 to=0 res=0 rt=7 ready=1
| Field | Meaning | What it Measures | | **vrf** | The routing table used. | Default routing table. | | **tz** | Timeout zone value used by FortiGuard scheduling. | To send the actual query traffic, FortiGate devices should select from the server list based on time zone and server response status. | | **encrypt** | Encryption method. | The encryption method is either:
'none' Plain DNS
'dot' DNS over TLS. | | **req** | Requests sent. | Number of SDNS queries sent to FortiGuard. Why zero?
Because FortiGate only contacts SDNS when: - DNS Filter policy is used.
- Domain category lookup needed.
| | **to** | Timeouts. | Queries with no reply. | | **res** | Responses received. | Replies from FortiGuard. | | **rt** | Round-trip time. | Average latency (ms). | | **ready** | Server health status. | 1 = Available. 0 = Marked down. | For more information about how to troubleshoot DNS, refer to the following article: Technical Tip: DNS issues and commands to use Technical Tip: FortiGate Troubleshooting DNS commands |
