Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Staff
Staff

Created on ‎07-31-2022 09:46 PM Edited on ‎02-04-2025 06:58 AM By Moderator

Article Id 219170

Technical Tip: High latency on FortiGuard DNS servers

Description The article describes how to solve the high latency when a FortiGuard DNS server is used.
Scope

FortiGate.
Solution

Starting from firmware version 7.0 onwards, the 'Use FortiGuard Servers' DNS will be using the DNS over TLS by default, but some of the sites will have high latency even unreachable to FortiGuard DNS.

 

Note: In some cases, it shows high latency or unreachable as some known DNS servers don't support DNS over TLS. Some Internet Service Providers (ISPs) still use traditional DNS without encryption.

 

The DNS Protocols will be greyed out on GUI as shown below:

 

mattchow_FTNT_2-1659324441900.png

 

To change the different methods to reach FortiGuard DNS, for example, change default TLS(TCP/853) to DNS (UDP/53), it is possible to change using the CLI command below:

 

config system dns
    set protocol cleartext  <----- Default is dot (DNS over TLS).

end

mattchow_FTNT_3-1659324892208.png

 

Note:
The protocol can be changed via GUI. Switch DNS servers from 'Use FortiGuard Servers' to 'Specify' and the DNS protocols option will be available to choose from.

Screenshot 2025-02-01 141240.png
15074
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.