Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
emmanouilg
Staff
Staff

Created on ‎05-27-2022 10:01 AM Edited on ‎12-09-2025 10:02 PM By Community Manager

Article Id 213280

Technical Tip: Explanation of the FQDN default cache-ttl

Description This article provides an explanation of the various DNS cache-ttl options available for FQDN Address objects and how they impact FQDN Address object behavior.
Scope FortiGate, DNS, FQDN Address Objects.
Solution

FortiGate has two sub-types of Address objects that operate based on DNS FQDNs: standard FQDN Address objects (which are configured with a single FQDN like 'www.fortinet.com') and Wildcard FQDN Address objects (which are configured with a wildcard FQDN like '*.fortinet.com').

 

Both types of FQDN address objects take a configured input of an FQDN and then dynamically map it to the associated IP address(es) resolved via DNS. However, each sub-type handles this FQDN to IP mapping process differently:

  • Standard FQDN Address objects can be resolved by the FortiGate by querying a DNS server for the FQDN directly.
  • Wildcard FQDN Address objects cannot be resolved directly by the FortiGate since the wildcard itself is not a valid FQDN. Instead, the FortiGate will inspect user-generated DNS traffic and will populate the Wildcard FQDN based on the results of FQDNs that match the wildcard (e.g., *.fortinet.com would include results for www.fortinet.com, community.fortinet, etc.).

 

FQDN Address objects do not store the resolved IP addresses indefinitely. Instead, they are cached for a period of time that is determined by the following global and per-object override settings:

 

Global Settings:

 

config system dns

set fqdn-cache-ttl <0-86400, default = 0>

set fqdn-max-refresh <3600-86400, default = 3600>

set fqdn-min-refresh <10-3600, default = 60>

end

 

The above settings were first introduced in v7.2.1 via Change #799523 and are described as follows:

  • fqdn-cache-ttl - FQDN cache time to live in seconds.
    • By default this value is set to 0, which means that the FortiGate will set the cache time in seconds to match the TTL specified on the DNS record itself.
  • fqdn-max-refresh - FQDN cache maximum refresh time in seconds.
    • This value sets the global upper-limit to wait before refreshing an FQDN Address. For reference, the FortiGate will determine when to re-query DNS for a given FQDN object by choosing the shorter of the DNS TTL and the fqdn-max-refresh time.
    • For example, a 5-minute DNS record TTL will result in the FortiGate re-querying just before the 5-minute mark (i.e., several seconds before the TTL expires) since it is shorter than fqdn-max-refresh. If the DNS TTL was 24 hours, then the FortiGate would re-query DNS after 3600 seconds (equal to fqdn-max-refresh), rather than waiting for 24 hours to pass.
  • fqdn-min-refresh - FQDN cache minimum refresh time in seconds.
    • This value sets the global lower-limit to wait before refreshing an FQDN Address object. By default, the FortiGate will wait at least 60 seconds before refreshing an FQDN address object, but some DNS records may have TTLs shorter than 60 seconds. Lowering the fqdn-min-refresh may allow the FortiGate to better handle short TTL DNS records.

 

Per-Object Settings:

config firewall address

edit <name>

set cache-ttl <0-86400, default = 0>

next

end

 

Important Notes regarding the above settings:

  • The cache-ttl setting allows administrators to override the global fqdn-cache-ttl on a per-object basis, and the default value of 0 means that the object inherits the fqdn-cache-ttl time (which itself may be 0, in which case the FortiGate uses the DNS record's own TTL as the cache time).
  • The fqdn-cache-ttl setting is not the same as dns-cache-ttl, which is also found under config system dns. The dns-cache-ttl setting has no impact on the cache timing of FQDN Address objects at all (it affects other, non-Address object related DNS caching).
  • The refresh/re-query time is not linked to the caching time. For example, if the FQDN 'test.example.com' has a DNS TTL of 20 seconds then the FortiGate will only cache the entry for an equal time of 20 seconds by default (set fqdn-cache-ttl 0 and set cache-ttl 0). However, if the fqdn-min-refresh time is set to the default of 60 seconds then there will be a 40 second window where the FortiGate will not have an IP address associated with the FQDN Address object.
    • To solve this problem, it is recommended to reduce fqdn-min-refresh to below the DNS record TTL (if possible) and/or increase the cache-ttl significantly beyond the DNS record TTL. The former solution may allow the FortiGate to re-query the FQDN before it expires, whereas the latter solution keeps the FQDN/IP addresses in the cache for a longer period of time (long enough where a 60 second re-query is acceptable).
  • Wildcard FQDN Address objects are not directly resolved by the FortiGate, they are instead resolved based on user-generated DNS traffic passing through the FortiGate. If users do not send out DNS queries for a matching FQDN for a long period of time then entries may expire from the Wildcard FQDN cache, which can lead to traffic impacts.
    • Similar to standard FQDN Address objects, significantly increasing the cache-ttl or global fqdn-cache-ttl can resolve this issue by allowing the FortiGate to cache DNS entries for much longer, which can help stabilize the cache in-between user-driven DNS refreshes.
  • FQDN Address objects can store up to 3000 IP addresses each as a hard-coded limit.
Labels:
33687
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.