Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kjay
Staff
Staff

Created on ‎12-24-2025 10:07 AM

Article Id 424327

Technical Tip: DNS cache behavior and how FortiGate handles DNS queries before/after dns-cache-ttl expiration

Description This article describes how FortiGate processes DNS queries when DNS cache is available and how the behavior changes before and after the dns-cache-ttl timer expires.
It also covers how to verify the DNS query flow using CLI commands and packet captures.
Scope FortiGate.
Solution

FortiGate maintains an internal DNS cache whenever DNS queries pass through the unit.
When a DNS response is cached, FortiGate tracks:

  • Original TTL returned by the external DNS server
  • Remaining time before the internal cache expires
  • dns-cache-ttl value configured in the config system dns

 

The following sections describe the query flow, how to monitor it, and how to validate it with packet captures.

 

Configuration:

 

To speed up verification during testing, the dns-cache-ttl value is reduced to 60 seconds:

 

config system dns

    set primary 96.45.45.45

    set secondary 96.45.46.46

    set dns-cache-ttl 60

end

 

Test scenario:


PC1 sends a DNS query for 'naver.com':

 

nslookup.jpg

 

FortiGate receives the query, forwards it to the DNS servers configured under system.dns, and then caches the returned response.

 

Verify DNS cache on the FortiGate:

 

dnsproxy.jpg

 

The TTL field consists of three values in the following format :

 

<DNS TTL> : <Remaining FortiGate cache TTL> : <dns-cache-ttl>

 

In this case:

  • 54 = Original DNS TTL received from DNS server.
  • 51 = Remaining internal cache lifetime.
  • 57 = Allowed cache lifetime based on dns-cache-ttl setting (the cache will be deleted when this timer expires).

 

PC2 sends a DNS query for the same domain 'naver.com'; two behaviors can occur depending on the cache status

When dns-cache-ttl has NOT expired:

  • FortiGate responds directly from cache.
  • No packet is forwarded to the upstream DNS servers.
  • PC2 receives an immediate response from FortiGate.

This can be confirmed via packet capture:

  • No DNS query is observed, leaving the WAN interface.
  • Only internal DNS queries exist (from PC2 → FortiGate).

 

q2.jpg

 

When dns-cache-ttl HAS expired:

  • Cached entry is removed
  • A new cache entry is created after receiving a DNS response

Packet capture will show:

  • DNS query from FortiGate -> Upstream DNS server.
  • DNS response returned to FortiGate.
  • FortiGate is forwarding the result to PC2.

 

q1.jpg

 

Expected observations:

Cache State PC → FGT FGT → DNS Behavior
Cache valid Yes No FortiGate answers directly
Cache expired Yes Yes FortiGate re-queries DNS

 

Summary:

  • FortiGate caches DNS responses until the configured dns-cache-ttl expires.
  • While the cache is valid, FortiGate responds locally without forwarding to upstream DNS.
  • When dns-cache-ttl expires, the cache is deleted, and FortiGate re-queries the DNS servers.
Labels:
45
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.