In a HA cluster environment, only the primary role unit would use the configured DNS server for name resolution. The standby role unit will use the primary unit for its name resolution

In the following example, FG01 is the primary unit, and FG02 is the secondary unit.

get sys ha status

Below are the DNS settings.

FG01 DNS settings FG02 DNS settings

From 'diagnose test application dnsproxy 2', FG01 shows the DNS servers:

FG01 diagnose test application dnsproxy 2

On FG02, it shows 169.254.0.2, which is the IP of FG01 port_ha.

FG02 diagnose test application dnsproxy 2

DNS traffic is present on the heartbeat interface in a FortiGate HA setup, as the secondary FortiGate uses the heartbeat IP to send DNS queries to the primary for name resolution.

For example, when FortiAnalyzer Cloud is configured for cloud logging, the secondary FortiGate, even while in passive mode, continues to send DNS requests to the primary over the heartbeat link to resolve cloud service names.

2025-12-08 15:53:49.149080 port_ha in 169.254.0.2.3206 -> 169.254.0.1.53: udp 81
2025-12-08 15:53:49.149085 port_ha out 169.254.0.2.3206 -> 169.254.0.1.53: udp 81
2025-12-08 15:53:49.819570 port_ha in 169.254.0.1.53 -> 169.254.0.2.3206: udp 156