FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 224872
Description This article describes the basic troubleshooting when  a DNS rating error is encountered (no available FortiGuard SDNS servers).
Scope FortiOS firmware 6.0 and above.

SDNS servers are DNS servers used by DNS filter profiles.

The DNS lookup requests will be sent to the FortiGuard DNS service and resolve end-user queries with an IP address and a domain rating that includes the FortiGuard category of the web page.

The SDNS server IP address might be different depending on location.  


The default FortiDNS server located in USA (IP address:, and the in the London server, UK (IP address:


Follow the steps below  the DNS rating error is appaearing (no available FortiGuard SDNS servers):


By default, FortiGate uses UDP port 53 to connect to the SDNS server.


1) Verify the connection between FortiGate and the SDNS server:

- Run below command to verify the FortiGuard SDNS server.


#diagnose test application dnsproxy 3

- From the output of above command, check the FGD_DNS_SERVICE_LICENSE line.The SDNS server IP address might be different depending on location.

In this example, it is:



- Verify the communication between the FortiGate and the SDNS server.

In the CLI Console:


# execute ping





If VDOM is enabled, run the command under management VDOM.


2) Modify the FortiGuard setting through CLI console:



# config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888
    set sdns-server-ip




The North American server should work in most cases.

However, it is possible to switch to the European server (IP address: to see if it improves latency.


This command can be used to check the DNS proxy status. Use '?' to list down the Test level.


# diagnose test application dnsproxy ?

  1. Clear DNS cache
  2. Show stats
  3. Dump DNS setting
  4. Reload FQDN
  5. Requery FQDN
  6. Dump FQDN
  7. Dump DNS cache
  8. Dump DNS DB
  9. Reload DNS DB
  10. Dump secure DNS policy/profile
  11. Dump Botnet domain
  12. Reload Secure DNS setting
  13. Show Hostname cache
  14. Clear Hostname cache
  15. Show SDNS rating cache
  16. Clear SDNS rating cache
  17. DNS debug bit mask
  18. Restart dnsproxy worker

Related documents:


This is very informative and helpful. Kudos to the Author!