FortiGate devices can be configured to use DNS forwarders for resolving domain names. When multiple DNS forwarders are specified, FortiGate follows a sequential order for resolving queries rather than distributing requests in a round-robin fashion.

1. Two DNS forwarders are configured, it will always use the first one.
2. If no response is received from the first one for five seconds, it will try the next one on the list.
3. It will not work as a round-robin when two DNS forwarders are in use.

PCAP shows the 1st list in DNS forwarder does not respond:

No. Time Source Src Port Destination Dst Port Protocol Length Info

8337 2023-04-15 18:17:33.232349 10.176.3.124 2763 10.176.1.12 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8343 2023-04-15 18:17:38.236182 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8344 2023-04-15 18:17:38.248541 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0004 No such name A 852ww.example.com SOA ns.icann.org

4. When the first one is down, the FortiGate will directly forward the DNS request to the second IP in approximately 25 seconds:

No. Time Source Src Port Destination Dst Port Protocol Length Info

8337 2023-04-15 18:17:33.232349 10.176.3.124 2763 10.176.1.12 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8343 2023-04-15 18:17:38.236182 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 852ww.example.com
8344 2023-04-15 18:17:38.248541 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0004 No such name A 852ww.example.com SOA ns.icann.org
8370 2023-04-15 18:17:54.593693 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 855ww.example.com
8371 2023-04-15 18:17:54.605384 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0004 No such name A 855ww.example.com SOA ns.icann.org
8375 2023-04-15 18:17:55.679424 10.176.3.124 3319 10.176.1.12 53 DNS 77 Standard query 0x0005 AAAA 856ww.example.com
8377 2023-04-15 18:17:56.580464 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0005 AAAA 855ww.example.com
8378 2023-04-15 18:17:56.589702 8.8.4.4 53 10.47.3.124 3319 DNS 133 Standard query response 0x0005 No such name AAAA 855ww.example.com SOA ns.icann.org
8383 2023-04-15 18:17:58.681969 10.47.3.124 3319 8.8.4.4 53 DNS 77 Standard query 0x0004 A 856ww.example.com

• FortiGate does not proactively check DNS server availability; it only marks a server as non-responsive after a timeout.

• If the primary DNS server fails, FortiGate does not immediately switch to the secondary but follows its timeout and retry logic.
• Proper DNS redundancy planning is recommended to ensure minimal resolution delays.

Note:

There will be no impact at all in the beginning when 1st forwarder is down because the DNS requests will be sent to the secondary forwarder if there is no reply from 1st forwarder.