Created on
05-07-2019
06:01 AM
Edited on
01-19-2025
09:45 PM
By
Anthony_E
Description
This article describes how to reduce high CPU usage on FortiGate caused by DNSproxy.
Scope
FortiGate.
Solution
DNSproxy consumes high CPU in FortiGate when the DNS server is configured as a local/private DNS server.
To verify the CPU usage in FortiGate, run the following commands:
diag sys top
The figure below shows that DNSproxy consumes a high CPU in FortiGate:
Troubleshooting (example):
Verify the configuration and see if the primary DNS on the FortiGate is an internal IP address as follows:
config system dns
show
config system dns
set primary 10.0.1.254 <----- This is not a global DNS server
set secondary 208.91.112.52
end
If the primary DNS is not a global/public DNS server, set the primary to a global/public DNS as follows:
config system dns
set primary 1.1.1.1
end
If the above settings do not help disable destination-visibility:
config system network-visibility
set destination-visibility disable
end
After the configuration is finished, verify the CPU usage as follows:
diag sys top
The figure below shows that CPU usage by DNSproxy has reduced in FortiGate:
After taking the recommended actions if the issue is not solved, collect the outputs of the below commands and provide them to the FortiGate team for investigation:
Open two CLI windows separately, one CLI window to collect debugs, and the second CLI window to monitor DNS traffic with Sniffer.
CLI1:
diagnose debug disable
diagnose debug reset
diag debug application dnsproxy -1
diagnose debug enable
CLI2:
diagnose sniffer packet any 'udp port 53' 4
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.