Problem Statement:

• FortiGate is configured with an internal DNS (primary) server and a FortiGuard server (secondary).
• Internal users are unable to browse the specific website www.bsp.gov.ph, while other public websites such as Google, and YouTube which is accessible.
• Internal traffic is not affected.
• Packet capture in FortiGate only shows the syn packet sent, but no return syn-ack from the website for the URL. The DNS queries are sent to the internal DNS server.
• The machine is configured with internal DNS. Ping the URL www.bsp.gov.ph its request timeout, whereas NSLOOKUP resolves to a single IP address.
• If specifying DNS to 8.8.8.8 in the user machine, the website is accessible, and NSLOOKUP resolves to multiple IP addresses.

Solution:

• It seems the problem with the internal DNS server either it cannot resolve the URL correctly or does not have a record for the DNS query that it received for the URL.
• In this case, adding a secondary forwarder to the DNS server will resolve the issue. Forwarders are DNS servers that this server can use to resolve DNS queries for records that this server cannot resolve.

• Here is the reference link on how to configure the forwarder in the DNS server:

Configure DNS Forwarders – Windows Server 2016 · ReadAndExecute