Skip to main content
hiteshgavit
hiteshgavit
New Member
November 24, 2025
Question

DNS servers auto changes after firewall restarts.

  • November 24, 2025
  • 2 replies
  • 987 views

Hi,

I have a client turns off this firewall at night and again turns on at morning. So basically firewall restarts, so when firewall starts DNS servers gets changed to an unknown IP, so i have to manually change the DNS to fortigates default server, i have to change the servers every morning, I want to know is it a BUG or something else? previously OS was v7.2.10 to fix this i upgraded to v7.4.8, but the issue still exists. It is a new 80F device.

2 replies

Jakob-AHHG
Jakob-AHHG
Explorer III
November 24, 2025

Hi,

1: Where does the DNS servers change? 
In Network: DNS: [Primary/Secondary] ?


2: Is it set to 'Use FortiGuard..' or 'Specify'?

 

3: Why in the world are they turning off the equipment?!? ;)
Wear & tear on electronics that is turned off/on all the time, ends up being higher that the electricity cost.. ;) 

hiteshgavit
hiteshgavitAuthor
New Member
November 25, 2025
 

this are the 2 IPs we get after the restart.

Screenshot 2025-11-25 115917.png

Regarding your question they power off the main switch of the office at night.

funkylicious
SuperUser
funkylicious
SuperUser
November 25, 2025

does the firewall have a task/automation stitch that shuts it down or do they just unplug it? one idea would be to gracefully shut it down executing the command and doing a config/revision save.

after the restart if you do a show full | grep 83.147.255.216 , is it present somewhere else expect the dns settings ?

"jack of all trades, master of none"
kaman
Staff
kaman
Staff
November 24, 2025

Hi hiteshgavit,

When a primary and secondary DNS server are configured, there is no priority between them. The terms primary and secondary may be confusing.


In fact, the RTT of each DNS server is recorded and FortiOS queries and uses the DNS server with the lowest RTT. This RTT is dynamically calculated and adjusted using each request and response. If a server does not respond, its RTT is set to 18 seconds (1800 hundredth of seconds). Run the command "diag test app dnsproxy 3" which will gives the dns information.


Use a sniffer to verify whether DNS traffic is leaving FortiGate:

diagnose sniffer packet any 'udp port 53' 4 0 l


If DNS is configured to use TLS/853, use the following command:

diagnose sniffer packet any 'tcp port 853' 4 0 l


Please refer to the document below for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-server-is-unreachable-when-using-custom-DNS/ta-p/219668
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-DNS-records-and-Non-local-DNS-records/ta-p/202398
https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-issues-and-commands-to-use/ta-p/333893


Regards,
Aman

Terms & ConditionsAccessibility statement