Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎03-09-2021 02:26 AM Edited on ‎10-18-2024 01:37 AM By Moderator

Article Id 194970

Technical Tip: System DNS server setup - 504 DNS lookup error

Description

 

This article describes the System DNS Server functionality.
Related document:
DNS administration guide 

 

Scope

 

FortiOS, FortiProxy.


Solution


Focus on the following setup:

 

config system dns
    set primary <ip_address>
    set secondary <ip_address>

end

 

By default, FortiGate uses the following FortiGuard DNS servers, with DOT (DNS over TLS) enabled:

Primary: 96.45.45.45.

Secondary: 96.45.46.46.

Note that disabling DOT for these servers, or enabling DOH (DNS over HTTPS) may produce unwanted results (resolution will not happen or not be prioritized).

 

Former default DNS servers used without TLS:

Primary: 208.91.112.53.

Secondary: 208.91.112.52.

These servers can be changed. 
By design, the DNS requests are sent to the server with the lowest latency of the two (for example: the primary server).
The secondary server is only used when the primary server (best response time) does not respond.
If the latency is similar, the primary server is used.

However, if the primary server returns an error (for example, name not found), the FortiGate does not send a request to the secondary server (second best latency).
Often, the latency between these servers is changing, and the resolution results may differ.
As long as public servers are used with a very similar DNS database (assuming it was not synchronized yet), there should be no problem. But if local DNS servers are used, it is necessary to make sure the name database is the same (tip: do not use one server for local domains and another server for public domains, as only one of them will receive the queries).

In certain cases, this is known to work.
This happens because the DNS response has been cached before on the FortiGate and the client receives this cached response.
But when the DNS server in use (lowest latency) does not have the IP for the given domain, and when that IP is also not present in the cache of FortiGate, a '504 DNS lookup error' is shown in the browser.

Related articles:

Technical Tip: FortiGate DNS query preference when multiple DNS protocols are enabled 

Technical Tip: FortiGate Troubleshooting DNS commands 

Labels:
14678
0 Kudos
Suggest New Article
Article Feedback
Comments
sfernando
Staff
Staff
‎03-11-2024 03:22 PM

 

 

Hi Team,

 

Regarding the last paragraph of the article. Can I know how can the FortiGate cache the DNS record if DNS DB and DNS server is not configured. As per my understanding DNS requests should be directed to the Configured DNS servers with out being cached.

 

Thanks

Supem ( sfernando)

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.