Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
duenlim
Staff
Staff

Created on ‎04-19-2023 10:52 PM Edited on ‎04-19-2023 10:53 PM By Community Manager

Article Id 252440

Technical Tip: FortiGate DNS forwarder retry and timeout values

Description This article discusses the DNS forwarder works.
Scope FortiGate DNS forwarder.
Solution

1) Two DNS forwarders are configured it will always use the first one.

2) If no response is received from the first one for five seconds it will try the next one on the list.

3) It will not work as a round robin when two DNS forwarders is in use.

 

PCAP shows the 1st list in DNS forwarder does not respond:

 

No. Time Source Src Port Destination Dst Port Protocol Length Info

8337 2023-04-15 18:17:33.232349 10.176.3.124 2763 10.176.1.12 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8343 2023-04-15 18:17:38.236182 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8344 2023-04-15 18:17:38.248541 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0004 No such name A 852ww.example.com SOA ns.icann.org

 

4) When the first one is down the FortiGate will direct forward the DNS request to the second IP in approximately 25 seconds:

 

No. Time Source Src Port Destination Dst Port Protocol Length Info

8337 2023-04-15 18:17:33.232349 10.176.3.124 2763 10.176.1.12 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8343 2023-04-15 18:17:38.236182 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8344 2023-04-15 18:17:38.248541 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0004 No such name A 852ww.example.com SOA ns.icann.org
8370 2023-04-15 18:17:54.593693 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 855ww.example.com
8371 2023-04-15 18:17:54.605384 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0004 No such name A 855ww.example.com SOA ns.icann.org
8375 2023-04-15 18:17:55.679424 10.176.3.124 3319 10.176.1.12 53 DNS 77 Standard query 0x0005 AAAA 856ww.example.com
8377 2023-04-15 18:17:56.580464 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0005 AAAA 855ww.example.com
8378 2023-04-15 18:17:56.589702 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0005 No such name AAAA 855ww.example.com SOA ns.icann.org
8383 2023-04-15 18:17:58.681969 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 856ww.example.com

 

Note:

There will be no impact at all in the beginning when 1st forwarder is down because the DNS requests will send to the secondary forwarder if there's no reply from 1st forwarder.
983
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.