Description

This article describes how to reduce high CPU usage on FortiGate caused by DNSproxy.

Scope

FortiGate.

Solution

DNSproxy consumes high CPU in FortiGate when the DNS server is configured as a local/private DNS server.

To verify the CPU usage in FortiGate, run the following commands:

diag sys top

The figure below shows that DNSproxy consumes a high CPU in FortiGate:

Troubleshooting (example):
Verify the configuration and see if the primary DNS on the FortiGate is an internal IP address as follows:

config system dns
    show

config system dns
    set primary 10.0.1.254                       <----- This is not a global DNS server
    set secondary 208.91.112.52
end

If the primary DNS is not a global/public DNS server, set the primary to a global/public DNS as follows:

config system dns
    set primary 1.1.1.1
end

If the above settings do not help disable destination-visibility:

    config system network-visibility

       set destination-visibility disable

    end

After the configuration is finished, verify the CPU usage as follows:

diag sys top

The figure below shows that CPU usage by DNSproxy has reduced in FortiGate:

After taking the recommended actions if the issue is not solved, collect the outputs of the below commands and provide them to the FortiGate team for investigation:

Open two CLI windows separately, one CLI window to collect debugs, and the second CLI window to monitor DNS traffic with Sniffer.

CLI1:

diagnose debug disable

diagnose debug reset

diag debug application dnsproxy -1

diagnose debug enable

CLI2:

diagnose sniffer packet any 'udp port 53' 4