Description

This article describes FortiGate’s DNS query behavior if the Default DNS configuration is not being modified and how to resolve if the DNS query failed. 

Scope

FortiGate, FortiGuard.

Solution

If default DNS configuration is not being changed, FortiGate-initiated DNS queries may fail because of the address resolution issues.

Moreover, it can also cause the FortiGate unit and FortiGuard AntiSpam to identify legitimate mails as spam.

The default FortiGate DNS configuration assists with resolving FortiGuard Service addresses and for other DNS requirements during the installation of the FortiGate unit. The default DNS servers are 96.45.45.45 and 96.45.46.46. 

DNS settings can be configured under the FortiGate GUI -> Network -> DNS.

A common issue arises when default DNS servers are used. FortiGuard AntiSpam and related spam filtering attributes - such as HELLO DNS lookup and Return Email DNS verification - rely on DNS queries for accurate analysis. If these DNS queries fail during the examination of an email message, the system may incorrectly fail a reverse DNS check, even when the email should legitimately pass.

As a result, FortiGate may mistakenly classify legitimate email as spam. Such misclassified messages may then be either tagged as spam or discarded entirely by FortiGate unit.

In order to resolve DNS query fail, DNS configuration must be changed in the following way:

Navigate to FortiGate GUI -> Network -> DNS. There, specify new primary and secondary DNS server IP addresses.

For example: Local network DNS server or internal DNS server can be used: