As part of measuring latency to system DNS servers, FortiGate adds a penalty if a DNS request needs to be retired, signaling that the server may be slow or unresponsive.

Instead of simply marking the server as failed, FortiGate adjusts the Round Trip Time (RTT) upward using a penalty value of 1495 jiffies. This value is applied through a weighted formula, not as a hard replacement, which allows the system to gradually phase out underperforming DNS servers.

When a retransmission occurs, FortiGate assumes a worst-case delay and calculates a new RTT sample. This makes the new response time mostly based on the penalty value, which simulates a long delay, like a timeout. FortiGate then combines this with the previous response time to update the overall average. The result is a noticeable increase in RTT, discouraging the use of that DNS server without immediately removing it from the pool. 

This design is intentional. FortiGate does not immediately fail a DNS server due to one missed response. If poor performance continues, the RTT will climb with each retry, eventually marking the server as too slow, and if a server quickly recovers, its RTT will start decreasing again. 

Therefore, the high DNS latency values shown in FortiGate may not be the actual network delays, but rather the outcome of its internal calculation process.

Related article:
Technical Tip: DNS Server shows Unreachable or high latency in GUI Dashboard even though it is pinga...