Fortigate - Shorten TTL for FQDN Address

Forum|Forum|1 year ago
October 16, 2024
1 reply
2389 views

Hi

Fortigate 101F

Version 7.6.0

I'm trying to reduce the TTL for a number of fqdn addresses by setting the cache-ttl on the address object itself.

When the default cache-ttl is set to 0, and also the global setting for fqdn-cache-ttl is set to 0, it is using 2400 seconds - which I assume is from the DNS query response. (The Fortigate is configured to use our DCs for DNS)
.

To overcome this, I have set the cache-ttl to 60 under the FQDN type address object, but it continues to use the 2400 timer?.

I am checking this by using command - diag test app dnsproxy 6

Any help much appreciated

FortiGate

FortiGate

salemneaz

Staff

Hi,

Did you get a change to check this article;

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-the-FQDN-nbsp-default-nbsp-cache/ta-p/213280

Did you tried this setting;

config system dns
set fqdn-cache-ttl 2000
end

Or this one;

config firewall address
edit "FQDN_s3-fips.us-gov-west-1.amazonaws.com/"
set type fqdn
set fqdn "s3-fips.us-gov-west-1.amazonaws.com"
set cache-ttl 86400 <----- Default value is 0.
next

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-deal-with-FQDN-with-short-DNS-TTL/ta-p/333706

What is the Firmware version

johnycomsAuthor

New Member

Hello Salem

Thank you for replying to me so promptly.

I used the articles in your email to configure the firewall as follows:

Fortigate 101F Version 7.6.0

Global fqdn-cache-ttl is set to default (0)

DNS obtained from Domain Controllers

Test FQDN is "lt22348.eastsuffolk.local"

I have set cache-tll for this fqdn to 30 seconds (as it gets 1200 seconds from the DC which is too long):

When viewing the diagnose test results, it is still using 1200 ttl rather than 30 ttl.:

Hope this helps.

Thanks

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded