Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
emmanouilg
Staff
Staff

Created on ‎05-27-2022 10:01 AM Edited on ‎12-10-2024 01:24 AM By Moderator

Article Id 213280

Technical Tip: Explanation of the FQDN default cache-ttl 

Description This article provides an explanation of the FQDN default cache-ttl.
Scope This article's scope is to explain what happens when the default cache-TTL is being used.
Solution

The default cache-ttl (that is 0) means this cache information will be ignored and global dns-cache-ttl will be used.

 

The global information can be found under 'config system DNS > dns-cache-ttl', which is defaulted to 1800 seconds.

 

This is a global setting and applies to all DNS queries and information is cached for 1800 seconds.

 

FortiGate performs the resolution based on the timers, irrespective of the object being used by any traffic.

For FQDN cache:

As per the above article, DNS information will store the previous resolutions till the cache ttl expiry, it is correct but FQDN will not work based on this feature.
For example, firewallgeeks.com's first resolved IP is 1.2.3.4 with DNS TTL as 20 seconds with global DNS cache TTL as 1800 seconds, it will store 1.2.3.4 until 20 seconds, and it will not store until 30 minutes.
 
If there is a need to store the previous resolution for more time, it is necessary to change the cache ttl under a specific FQDN configuration.
 
Now in the v7.0.16 above and v7.2.x, there is a feature added 'fqdn-cache-ttl' under global configuration, using this feature it is possible to store the FQDN resolve IP address for a long time irrespective of TTL sent by the DNS server. In addition, each FQDN can store up to 3000 addresses and the limit is hard-coded.
 

FQDN cache time to live (TTL), in seconds (0 - 86400, default = 0).

 

This is the amount of time an FQDN's address record can live if not refreshed. This setting applies globally, across all VDOMs, to FQDNs that have unspecified firewall address cache-ttl settings. If the cache-ttl value is configured for an FQDN address, it will supersede the fqdn-cache-ttl setting for that address.

 

For example, configure the FQDN cache TTL on the global VDOM:

 

config system dns

    set fqdn-cache-ttl 2000

end

 

Related document:
Labels:
22261
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.