This article describes how to improve the FQDN re-query interval on FortiGate.

When the DNS server sends back round-robin or GSLB-based replies, then the FortiGate FQDN address object and the client requesting the DNS resolution can have different IPs because the GSLB resolution changes every few seconds (could be 4 or 5 seconds) and thus the traffic is blocked.

Take the example of FQDN cfengine-package-repos.s3.amazonaws.com. nslookup to cfengine-package-repos.s3.amazonaws.com gives the below result.

Non-authoritative answer:

Name:    s3-w.us-east-1.amazonaws.com

Address:  52.216.102.115

Aliases:  cfengine-package-repos.s3.amazonaws.com

          s3-1-w.amazonaws.com

If Wireshark runs on the client machine and the DNS reply for s3-1-w.amazonaws.com is checked, the TTL would be 5 seconds or less.

Before v7.2.1, there was a hard-coded minimal FQDN re-query interval of 60 seconds, but starting from v7.2.1, this hard-coded timer can now be modified so that FortiGate can re-query the FQDN more frequently.

The 'fqdn-min-refresh' interval can be set between 10 sec and 3600 sec.

config system dns

    set fqdn-min-refresh 10

end

The minimum refresh is the lowest allowed refresh time. i.e. the FQDN cache cannot refresh at an interval shorter than this value.

Using this setting, FQDNs that require fast resolutions can refresh at a faster rate without impacting other FQDNs that have longer TTL records.

Starting from FortiOS v7.4, a new setting has been introduced to manage the upper limit of the FQDN refresh timer. The 'fqdn-max-refresh' setting is employed to govern the global upper limit of the FQDN refresh timer.

For FQDN entries with a time to live (TTL) exceeding the maximum refresh value, their refresh timer will be adjusted to this upper limit. This feature empowers FortiGate to set the maximum limit for querying DNS updates for its FQDN addresses.

By default, the fqdn-max-refresh time is 3600 seconds, and the configurable range is 3600 to 86400 seconds.

config system dns

    set fqdn-max-refresh <integer value>

end

Note: 

fqdn-min-refresh and fqdn-max-refresh settings cannot be configured on vdom-dns.

Appendix: 

Additionally, FortiGate updates the FQDN in its cache based on 'min_ttl' and 'min_refresh'.

As soon as an FQDN address is created, FortiGate translates the FQDN into IP address and writes IP address with TTL in its cache.

CLI Command:

diagnose test application dnsproxy 6

'fqdn-min-refresh' is set to 60, which is the default value under the "config system dns".

CLI Configuration:

config system DNS
    set fqdn-min-refresh <integer>   <----- Default value 60 seconds (10 ~ 3600).
end

• The Date and Time when the FQDN was newly created: 2024-05-30 21:31:14.
• The Date and Time when the FQDN was resolved: 2024-05-30 21:31:16.

• A resolved IP address with TTL=30(seconds) is written in cache. 'min_ttl' is set to 30 accordingly.
• At this point, FortiGate decides to calculate the next cycle for updating the existing FQDN by comparing 'min_ttl=30' and 'min_refresh=60'.
• Since 'min_refresh=60' is larger than 'min_ttl=30', FortiGate decides to use 'min_refresh=60' to calculate the next cycle.
• There is a margin of 5 seconds, which is not configurable, to calculate the next cycle. The calculated value is 55 seconds. (60 - 5).
• Even though 'min_ttl=30' has already expired, there are still a few seconds left to the next cycle. The next cycle is supposed to be performed at 21:32:11 based on the formula mentioned above.

• FortiGate sends a DNS query and updates its cache at 21:32:11.

On the contrary, if the value of 'min_ttl' is larger than the value of 'min_refresh', the next cycle for updating the existing FQDN relies on the value of 'min_ttl'.

In this example, the next cycle for updating the existing FQDN is set to 295 seconds. (300 - 5):