FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197982



In some cases, the network does not work due to the DNS server being down or intermittently available. The DNS server is necessary to resolve domains/URLs to IP addresses.
If the DNS server is unable to resolve, the domain will not be reachable.

This article assists with DNS troubleshooting.








There are 3 scenarios for DNS issues in the network:


  1. FortiGate is the DNS server: The PC is using the FortiGate interface as the DNS server.
  2. The PC is using a local DNS server: The PC is directly using a local DNS server in the network.
  3. The PC is using a public DNS server: The PC is directly using a public DNS server such as or

This troubleshooting guide focuses on Windows machines.
Open the command prompt and run the following:


ping <- Any domain which is not working.


Pinging to verifies internet connectivity. If the PC is able to ping, it means internet connectivity is working as expected.
The ping to is to verify DNS resolution. If the PC is able to ping but not, the DNS is not working.

Basically, Windows (or any machine) cannot resolve domains if any of the following conditions are true:
  • No Preferred/Alternate DNS Server is configured.
  • The DNS server is not reachable.
  • The DNS server did not respond to the DNS query.
  • The DNS server does not have the DNS record.

First, check the Windows configuration as shown below:

The current adapter is using as the Preferred DNS server. is a public DNS server that will resolve public domains/URLs.
This public DNS cannot resolve local URLs/domain names.



ping syarif-pc

Because this URL/domain is introduced internally, a public DNS server like will not have this information.

However, can resolve the following addresses:
To check if the DNS is working, change the Preferred DNS server on the Windows machine and perform a domain ping test.
If the internal DNS server did not respond to the request, check on that DNS server.
Additionally, run the following debugging tasks for the ongoing DNS connection:


diagnose test application dnsproxy 3

Run the following sniffer:
diagnose sniffer packet any " port 53 " 6 0 a

For further assistance, contact Fortinet support.


DNS resolution depends on the DNS server database in use.
If the DNS server is able to provide the information, it will give the information to the client.
The scenarios outlined in this article apply to Windows machines.