Troubleshooting Tip: Wildcard FQDN objects no longer resolve IP addresses in v7.6.5
Description
This article describes an issue where FQDN objects do not resolve to IP addresses.
Scope
FortiGate v7.6.5, FortiGate v7.6.6.
Solution
After upgrading the FortiGate to Firmware v7.6.5 or v7.6.6, the FortiGate will not resolve the FQDN IP address; therefore, it could cause a traffic drop on the Firewall Policies where these FQDN objects are being used.
Â
To confirm if this matches the BUG 1254463, it is necessary to collect the following logs.
Â
Crashlog DNS Proxy debug. CPU utilization per process.
Â
If the DNS Proxy output shows something similar to the following:
2026-03-31 14:46:07 [worker 0] __fqdn_response_cb()-1117: query_id=3232(0xa00c), an=6, rcode=0
2026-03-31 14:46:07 [worker 0] __fqdn_response_cb()-1111: domain=*example.com
2026-03-31 14:46:07 [worker 0] __fqdn_response_cb()-1117: query_id=3232(0xa00c), an=6, rcode=0
2026-03-31 14:46:07 [worker 0] __fqdn_response_cb()-1111: domain=*exampe.com
2026-03-31 14:46:07 [worker 0] __fqdn_response_cb()-1117: query_id=3232(0xa00c), an=6, rcode=0Â
And if daemon CPU utilization shows multiple DNS proxy daemons with high CPU usage:
dnsproxy 162 R 96.5 0.2 1
dnsproxy 163 R 99.9 0.2 1
dnsproxy 165 R 97.0 0.2 1
dnsproxy 166 S 0.9 0.2 4Â
And if crashlogs show the following:
12514: 2026-02-20 08:57:11 the killed daemon is /bin/dnsproxy: status=0x100
12515: 2026-02-20 08:57:13 the killed daemon is /bin/dnsproxy: status=0x100Â
It may be due to the bug. Open a ticket with Customer Service Tip: How to create a ticket for Fortinet TAC to confirm this.
When there are multiple daemons configured for DNS proxy, this may cause high CPU consumption. Performance degradation is therefore expected.
As a workaround:
Include an apex domain in the firewall address.
For instance, include 'forelle.ca' as the firewall address and avoid using the wildcard "*forelle.ca'.
Note: This bug is explained in the v7.6.5 release notes under Known issues.