After an FQDN address is configured in FortiGate, FortiGate will send DNS requests to the configured DNS servers for the FQDN. The resolved IP address will be stored in dnsproxy cache. This is because FortiGate needs to know the IP addresses of the configured FQDNs for checking if traffic matches the policy where FQDN address objects are configured.

If the upstream device detects that FortiGate is sending DNS requests, it is the expected behavior. The more FQDNs are configured, the more DNS requests from FortiGate will be seen.

For example,

1. 'aws.com' FQDN address was configured:

config firewall address

    edit "aws.com"

        set type fqdn

        set fqdn "aws.com"

    next

end

2. Then sniffer in FortiGate showed that FortiGate regularly sent DNS requests to resolve the IP address of 'aws.com' from the configured DNS servers:

3. The IP address of 'aws.com' was stored in the dnsproxy cache which would be used for functions like matching firewall policies where FQDN was configured.

FGT # diagnose test application dnsproxy 6

...

2025-02-14 11:29:57 vfid=0 name=aws.com ver=IPv4 wait_list=0 timer=19 min_refresh=60 min_ttl=60 cache_ttl=0 slot=-1 num=4 wildcard=02025-02-14 11:29:57

2025-02-14 11:29:57 2025-02-14 11:29:57 13.249.213.97 (ttl=60:25:25)2025-02-14 11:29:57 13.249.213.102 (ttl=60:25:25)2025-02-14 11:29:57 13.249.213.83 (ttl=60:25:25)2025-02-14 11:29:57 13.249.213.37 (ttl=60:25:25)2025-02-14 11:29:57

Related document:

DNS troubleshooting