Description
This article explains how to overcome intermittent website access issues due to DNS latency issues when SD-WAN is configured.
Scope
FortiGate, SD-WAN, DNS.
Solution
When there is high or inconsistent latency for DNS Servers, the FortiGuard services will be impacted, and in turn, there will be some issues with reaching the websites seamlessly.
The DNS issues directly affect the Web filter profile, due to which, there would be website rating issues that block access to the websites.
Generally, the issues with inconsistent DNS servers will be seen when SD-WAN is configured.
Tweaking the DNS settings on the FortiGate will help resolve this problem.
- CLI Configuration (Failover Mode - Recommended for Stability):
config system dns
set server-select-method failover
end
This prioritizes the primary DNS server and falls back only on failure.
-
Alternative: Least-RTT Mode (For Dynamic WANs):
config system dns
set server-select-method least-rtt
end
Automatically selects the lowest-latency server per query. Test both modes during off-peak hours.
Switch between 'failover' and 'least-rtt' in the above DNS settings to check which one works better. To learn more about DNS query sequences, refer to Technical Tip: FortiGate DNS query preference when multiple DNS protocols are enabled.
Note: In the SD-WAN Performance SLA, create an entry with the Ping Protocol for FortiGuard DNS Server IPs or the DNS Server IPs used in the DNS settings.
