Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fortiraj_FTNT
Staff
Staff

Created on ‎08-18-2025 10:14 PM

Article Id 406757

Technical Tip: Configuring FortiGate DNS lookup for FortiGuard services to operate independently of system DNS availability

Description

This article describes how to enable essential services on FortiGate, such as rating services, FortiGuard, and FortiCloud services, without dependency on system DNS configuration.

 

In certain restricted deployment scenarios where system DNS should not be configured or an internal DNS server that is hosted remotely and reachable via an IPsec tunnel, any impact on the tunnel can cause immediate failure on URL and DNS rating services, affecting services that require FortiGate to connect with FortiGuard or FortiCloud.

 

By using DNS database entries with forwarders for essential Fortinet services, FortiGate can continue to function optimally even when system DNS is unavailable.

 

The following domains provide rating and FortiGuard services to FortiGate: fortiguard.net, forticloud.com, fortinet.net, fortinet.com
Scope FortiGate.
Solution
  1. Enable DNS-database services on FortiGate from the feature visibility section under System -> Feature Visibility -> Enable DNS Database.

     

    config system global

        set gui-dns-database enable

    end

  2.  

   2. Configure DNS Forwarding for Fortinet domains:

  1.  

  2. config system dns-database

        edit "fortinet.com"

            set domain "fortinet.com"

            set authoritative disable

            set forwarder "96.45.45.45" "96.45.46.46"

        next

        edit "fortiguard.net"

            set domain "fortiguard.net"

            set authoritative disable

            set forwarder "96.45.45.45" "96.45.46.46"

        next

        edit "fortinet.net"

            set domain "fortinet.net"

            set authoritative disable

            set forwarder "96.45.45.45" "96.45.46.46"

        next

        edit "forticloud.com"

            set domain "forticloud.com"

            set authoritative disable

            set forwarder "96.45.45.45" "96.45.46.46"

        next

    end

 

Diagnostics and verification.

DNS stats:

 

diagnose test application dnsproxy 2

worker idx: 0

worker: count=1 idx=0

retry_interval=500 query_timeout=1495

DNS latency info:

vfid=0 server=96.45.45.45 latency=1 updated=3780

SDNS latency info:

DNS_CACHE: alloc=2, hit=2

RATING_CACHE: alloc=0, hit=0

 

Dump DNS setting:

 

diagnose test application dnsproxy 3

worker idx: 0

VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1

dns64 is disabled

DNS servers: <----- No DNS Servers configured.

SDNS servers:

ALT servers:

Interface selecting method: auto

Specified interface:

FortiGuard interface selecting method: auto

FortiGuard specified interface:

 

DNS cache:

FortiGuard service hostnames are fetched from DNS forwarder servers.

 

diagnose test application dnsproxy 7

vfid=0, name=securegip.fortinet.net, ttl=3840:3620:1580

         12.34.97.18 (ttl=10545) 173.243.138.96 (ttl=10545)

vfid=0, name=update.fortiguard.net, ttl=4712:3205:293

         173.243.138.71 (ttl=61172) 149.5.232.66 (ttl=61172) 12.34.97.16 (ttl=61172)

CACHE num=2

 

Dump DNS database:

 

diagnose test application dnsproxy 8

vfid=0 name=fortinet.net domain=fortinet.net ttl=86400 authoritative=0 view=shadow type=primary serial=1497823940 refresh=0

forwarder(s): 96.45.45.45 96.45.46.46

source-ip(s): 0.0.0.0 ::

    SOA: fortinet.net (primary: dns.fortinet.net, contact: host@fortinet.net, serial: 1497823940)(86400)

 

vfid=0 name=fortinet.com domain=fortinet.com ttl=86400 authoritative=0 view=shadow type=primary serial=947308521 refresh=0

forwarder(s): 96.45.45.45 96.45.46.46

source-ip(s): 0.0.0.0 ::

    SOA: fortinet.com (primary: dns.fortinet.com, contact: host@fortinet.com, serial: 947308521)(86400)

 

vfid=0 name=forticloud.com domain=forticloud.com ttl=86400 authoritative=0 view=shadow type=primary serial=1551432320 refresh=0

forwarder(s): 96.45.45.45 96.45.46.46

source-ip(s): 0.0.0.0 ::

    SOA: forticloud.com (primary: dns.forticloud.com, contact: host@forticloud.com, serial: 1551432320)(86400)

 

vfid=0 name=fortiguard.net domain=fortiguard.net ttl=86400 authoritative=0 view=shadow type=primary serial=942777948 refresh=0

forwarder(s): 96.45.45.45 96.45.46.46

source-ip(s): 0.0.0.0 ::

    SOA: fortiguard.net (primary: dns.fortiguard.net, contact: host@fortiguard.net, serial: 942777948)(86400)

 

Web Rating services:

 

diagnose debug rating

Num. of servers : 29

Protocol        : udp

Port            : 8888

Anycast         : Disable

Default servers : Included

 

-=- Server List (Mon Jul 28 06:26:59 2025) -=-

 

IP          Weight RTT Flags   TZ   FortiGuard-requests  Curr Lost Total Lost  Updated Time

210.7.96.12 30     92          9     707          0          0 Mon Jul 28 06:25:40 2025

210.7.96.14 30     92          9     707          0          0 Mon Jul 28 06:25:40 2025

210.7.96.13 30     92          9     707          0          0 Mon Jul 28 06:25:40 2025

210.7.96.11 30     92          9     708          0          1 Mon Jul 28 06:25:40 2025

83.231.212.84 110    151       1     708          0          1 Mon Jul 28 06:25:40 2025

83.231.212.85 110    151       1     707          0          0 Mon Jul 28 06:25:40 2025

 

Related documents:
Troubleshooting Tip: FortiGate FortiGuard Servers
FortiOS Ports Guide v7.4.0
260
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.