FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article discusses on how FortiGate units may periodically generate DNS queries for the root zone ('.') toward the configured system DNS servers. These queries can appear in DNS server logs as unusual or invalid and may trigger alerts or cause minor performance degradation on internal DNS resolvers. This behavior is expected and originates from the FortiGate’s internal dnsproxy process, which handles system-level DNS lookups such as FortiGuard connectivity checks and FQDN object resolution.
Scope
All FortiGate models and FortiOS versions, including standalone and HA deployments, when system DNS servers are defined under config system dns.
Solution
This behavior is normal and does not indicate a malfunction or security issue. The dnsproxy process periodically sends root ('.') DNS queries as part of its cache validation and reachability tests.
Options to reduce alerts or impact:
If the FortiGate uses internal DNS servers, configure the resolver to silently ignore or de-prioritize root ('.') queries.
Alternatively, configure the FortiGate to use public DNS resolvers (for example, 1.1.1.1 or 8.8.8.8) for system DNS lookups, sourced from the management interface.
In HA environments with ha-mgmt-interfacesenabled, each unit may independently generate these queries—this is expected.
