Description
This article describes how to reduce high CPU usage on FortiGate caused by DNSproxy.
Scope
FortiGate.
Solution
DNSproxy consumes high CPU in FortiGate when the DNS server is configured as a local/private DNS server.
To verify the CPU usage in FortiGate, run the following commands:
diag sys top
The figure below shows that DNSproxy consumes a high CPU in FortiGate:
Troubleshooting (example):
Verify the configuration and see if the primary DNS on the FortiGate is an internal IP address as follows:
config system dns
show
config system dns
set primary 10.0.1.254 <--- This is not a global DNS server
set secondary 208.91.112.52
end
If the primary DNS is not a global/public DNS server, set the primary to a global/public DNS as follows:
config system dns
set primary 1.1.1.1
end
After the configuration is finished, verify the CPU usage as follows:
diag sys top
The figure below shows that CPU usage by DNSproxy has reduced in FortiGate:
After taking the recommended actions if the issue did not solve, collect the outputs of the below commands and provide them to the Fortigate team for investigation:
Open two CLI windows separately, one CLI window to collect debugs, the second CLI window to monitor DNS traffic with Sniffer.
CLI1:
diagnose debug disable
diagnose debug reset
diag debug application dnsproxy -1
diagnose debug enable
CLI2:
diagnose sniffer packet any 'udp port 53' 4
