Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
kmak
Staff
Staff

Created on ‎10-28-2025 11:54 PM

Article Id 417015

Technical Tip: How to troubleshoot FortiADC Global Load Balance DNS resolver issue related to the Global DNS Policy configuration

Description This article describes how to troubleshoot the FortiADC Global Load Balance DNS resolver issue related to the Global DNS Policy configuration.
Scope FortiADC.
Solution

Prerequisite:

  • Basic understanding of the concept of FortiADC Global Load Balance Zone service.
  • DNS zones and related objects are created for the GLB DNS resolver.

 

The FortiADC Global DNS Policy in GLB configurations uses the source and destination traffic matching criteria to serve the DNS zone resolver service. There are a few common problems that users might be facing when configuring the policy.

 

Multiple Global DNS Policy with both source and destination configure as 'any':

When the DNS resolving request is sent to FortiADC, and the traffic criteria match the first Global DNS Policy, it does not check the subsequent Global DNS Policy, even if the DNS zone is not added to the matched policy.

 

In the example below, there are 2 Global DNS Policy created with both source and destination configured as 'any'. The request matches the first Global DNS policy, but the DNS zone is added to the second Global DNS policy, which the FortiADC does not return any result due to the DNS zone record is not served in the matched Global DNS policy.

 

kmak_0-1761716174141.jpeg

 

To fix the issue, use only one Global DNS policy if there is no requirement to restrict the DNS resolver based on source/destination traffic criteria.

 

kmak_1-1761716174147.jpeg

 

 

Unable to resolve non-authoritative domains DNS result, even though recursion is enabled in General Settings:

In some cases, where the organization is using the FortiADC as a DNS resolver server for all the office/branch users, it is required to enable recursion in the DNS server policy. The FortiADC administrator might have enabled recursion in the GLB General Settings, but non-authoritative domains remain unable to be resolved.

 

kmak_2-1761716174153.jpeg

 

Similar to the previous issue, when a non-authoritative domain's DNS resolving request traffic hits the FortiADC, it will check the source and destination to match the Global DNS Policy criteria. If the request traffic matches the GLB Global DNS policy criteria, it does not check the subsequent global DNS policy or the GLB General Settings conditions.

 

To resolve the issue, enable the ‘recursion’ option in the Global DNS policy settings.

 

kmak_3-1761716174158.jpeg

 

Related document:

FortiADC Global DNS Policy
Labels:
33
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.