Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KC_Hing
Staff
Staff

Created on ‎08-08-2024 11:06 PM Edited on ‎07-24-2025 12:18 AM By Community Manager

Article Id 331766

Technical Tip: Troubleshoot DNS high latency issue

Description

This article describes how to identify DNS high latency issues in FortiGate.
Scope

FortiGate.
Solution

The FortiGate DNS latency is a round-trip time calculated based on the DNS query and response results from the DNS server including the time taken for the (DNS query to reach the DNS server) + (DNS resolution at the DNS server) + (DNS response to get the FortiGate).

 

Below is an example of a troubleshooting scenario.

 

  1. FortiGate can reach the corresponding DNS server without a connectivity issue.

 

FGT# exec ping 96.45.45.45

PING 96.45.45.45 (96.45.45.45): 56 data bytes

64 bytes from 96.45.45.45: icmp_seq=0 ttl=57 time=8.5 ms

64 bytes from 96.45.45.45: icmp_seq=1 ttl=57 time=8.3 ms

64 bytes from 96.45.45.45: icmp_seq=2 ttl=57 time=8.7 ms

64 bytes from 96.45.45.45: icmp_seq=3 ttl=57 time=8.9 ms

 

  1. The DNS server shows high latency or intermittent unreachable status.

     

    FGT# diag test application dnsproxy 2

    DNS latency info:
    vfid=0 server=96.45.45.45 latency=1344 updated=1755

    vfid=0 server=96.45.46.46 latency=1456 updated=3942

Note:

From v7.0.2, it is possible to add a DNS status widget in the Dashboard to check the latency.


DNS.PNG

diagnose test application  dnsproxy  3

DNS servers:
96.45.45.45:53 vrf=0 tz=0 encrypt=none req=16462790 to=10917569 res=0 rt=1494 ready=1 timer=0 probe=0 failure=2 last_failed=300
96.45.46.46:53 vrf=0 tz=0 encrypt=none req=2050940 to=1424553 res=0 rt=1494 ready=1 timer=0 probe=0 failure=7 last_failed=235

 

  1. Run packet capture and analyze PCAP file shows many DNS server failures and no such name in DNS reply.

     

    34 0.036068 96.45.45.45 10.47.2.186 DNS 87 Standard query response 0xb020 Server failure A tiendapablus.net OPT
    924 0.000636 96.45.45.45 10.47.2.186 DNS 97 Standard query response 0xc3d0 Server failure A globalbusinessprotocol.com OPT
    937 0.017813 96.45.45.45 10.47.2.186 DNS 89 Standard query response 0x1f21 Server failure A offroadrampage.com OPT
    950 0.096312 96.45.45.45 10.47.2.186 DNS 87 Standard query response 0xb7f8 Server failure A tiendapablus.net OPT
    ...
    904 0.001793 96.45.45.45 10.47.2.186 DNS 147 Standard query response 0x7e53 No such name A cisco-helpdesk.cf SOA a.ns.cf OPT
    915 0.016935 96.45.45.45 10.47.2.186 DNS 154 Standard query response 0x54fa No such name A twlnco.com SOA a.gtld-servers.net OPT
    916 0.000877 96.45.45.45 10.47.2.186 DNS 160 Standard query response 0x7456 No such name A swiftbankint.com SOA a.gtld-servers.net OPT
    917 0.000857 96.45.45.45 10.47.2.186 DNS 155 Standard query response 0x8353 No such name A alamarcosmetics.xyz SOA ns0.centralnic.net OPT

     

With the above example, the user must check Firewall FQDN object configurations to ensure the URL address and domain are valid and resolvable.

 

Related article:

Technical Tip: Clarifying differences between 'diagnose test application dnsproxy 2' information in ...
5514
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.