Technical Tip: How to use the FQDN address object in FortiGate when the DNS resolution is changing dynamically

In cases where Websites with multiple servers have a load balanced between multiple locations, the DNS resolution can change dynamically. This may lead the DNS resolution of the user to not coincide with the DNS resolution of the FortiGate for a specific FQDN address.

In this case, the user will create a connection request with an IP that does not match the IP resolved by the Firewall for the same domain name and the connection will be dropped by the Firewall.

Given that FortiGate uses the system DNS server to resolve the IP address for FQDN objects, there could be two potential solutions to this issue:

• Ensure that FortiGate and the user machine are using the same external DNS servers (e.g. setting FortiGate system DNS and the user DHCP/DNS servers to be the same), or:
• Configure the FortiGate as a DNS server and then configure the user to send DNS requests to FortiGate.

Below are the steps to configure the FortiGate as a DNS forwarder:

• Go to Network -> DNS Servers and create a New DNS service.
• Select the interface on which the service will be listening.
• Select the mode Forward to System DNS.

This will ensure that DNS resolution for the user and the FortiGate will be the same, resulting in incoming traffic from the user reliably matching the intended policy.

If it is not possible to change the DNS server for the user, it may be possible to instead modify the address object to cache the resolved IPs for longer to workaround this issue.

This is covered under this article: Technical Tip: How to deal with FQDN with short DNS TTL