Description
This article explains the reason why the DNS latency shows a value of 14000 -15000 ms.
Scope
FortiGate v7.0 to v7.4.4.
Solution
When FortiOS DNS request times out, FortiGate will penalize the server fail count by increasing the RTT by 15 seconds, to force the failover to the next DNS server:
For each timeout, the server's latency increases by 15 seconds (15000ms). The reason for this high value is to force the next queued DNS request to use the next active server configured in FortiGate.
This is not the real latency value for that server - it simply indicates the DNS server is likely busy and can't reply to requests, or may indicate a network problem. The problematic server may still be reachable with ICMP with decent latency, because this is another protocol.
From CLI :
diagnose test application dnsproxy 2
vfid=0 server=3.140.128.187 latency=10 updated=7474
vfid=0 server=3.143.64.169 latency=11 updated=1462
DNS UDP: req=381 res=281 fwd=439 cmp=26 retrans=147 to=75
The Retransmission count increased, and FortiGate increases the latency:
vfid=0 server=3.140.128.187 latency=1049 updated=604
vfid=0 server=3.143.64.169 latency=16 updated=585
DNS UDP: req=382 res=282 fwd=441 cmp=26 retrans=148 to=75
Until it reaches a near value of 1500 ms, it will remain in this window for about 30 seconds until the FortiGate tries to update the value:
vfid=0 server=3.140.128.187 latency=1454 updated=174
vfid=0 server=3.143.64.169 latency=12 updated=161
DNS UDP: req=386 res=286 fwd=447 cmp=26 retrans=150 to=75
Note:
This behavior changes from v7.4.4 and v7.6.x.
Related articles:
