Anybody notice very high CPU usage with DNSProxy?
I've seen it with at least one client.
I opened a call with TAC and haven't gotten much back as of yet as to if it's a bug or memory leak issue.
Through poking around myself (and trying to figure out why DNSProxy was high when I wasn't using the device for DNS), I determined the cause appeared to be some FQDN address objects. In total the device had about 15 or so defined. This was keeping DNSProxy running at over 50% CPU usage continually.
Once I modified the entries to IP (not the best solution as some are websites that could possibly change), the usage for DNSProxy dropped to almost nothing.
It's strange to me that 15 or so FQDNs could almost drive the firewall to its knees (this was another 200B).
Thanks,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
DNSproxy is not directly connected to using the FGT as a nameserver. Rather, all named address objects which have to be resolved are cached after the first lookup.
For this the System DNS setting is used. Have you checked that the System DNS has a low latency for requests? It might be saturated and so the FGT would start multiple requests to it.
You should be able to sniff the local-out traffic on port 53 (udp/53 with src=FGT wan interface addr). Do you see the DNS sessions?
In the back of my memory I recall there was a DNS retention period parameter but I'm not sure about this.
Anyway, I've created an address group with 20 FQDNs and put that into a policy. dnsproxy was not seen in the first 20 top processes (~1 % CPU load)...on a 60B running v4.3.18. This might indicate that either the DNS resolution is faulty or the FOS version on your FGT has a bug.
This KB article on DNS troubleshooting should be useful. From the description though it sounds almost as if the fgt is going through a VPN tunnel to access the DNS servers. If this is the same client with the dual WAN connection, I am wondering if the fgt is configured with neutral DNS settings or if it is taking longer because it is failing on resolve look ups from the primary DNS server.
I think Ede maybe thinking of the cache-ttl option for firewall address object settings.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Found it:
ede_pfau wrote:Found it:
config system dns
end source: online CLI Reference for v5.2 Hmmmmm - interesting - not sure it will help. I can confirm that the Fortigate is configured to use one AD DNS server and one external DNS server for DNS resolution. I've still not gotten much back from TAC on this as of yet. I don't think its coincidental that changing the entries from FQDN to IP address dropped the DNSProxy usage from 50% to 1.5% CPU usage. As far as the DNSProxy troubleshooting - I actually used that document when I was trying to figure out what was causing DNSProxy to drive the CPU to 50% and that was where I first saw the entries for the FQDN address objects which lead me to make the initial change.
This may not make sense in the context of the problem, but if we are dealing with 200Bs, I keep thinking it's a corrupted disk log. From our experience with 200Bs in the field, we had so many issues caused by bad flash we had to RMA them if a "exec formatlogdisk" doesn't restore functionally. Mind you the 200Bs in question are running 4.0 MR3 patch 18 (and we have already disabled disk writing on most of them).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I have the exact same issue with OS 5.2.2 and my FWF60D.
This is my FWF I use at home to
a) connect to tunnel into our company network (via IPsec vpn)
b) private internet access
The FWF60D is placed behind a cable router (AVM FritzBox 6490) from my ISP.
I have configured three local dns databases:
1) one for my "local" network (so I don't have to use ip-addresses to connect to my Synology NAS and other network components). In this scenario the fortigate is dns master for that particular domain.
2) one for the internal dns domains of our company (which uses the ip-addresses of our companys dns servers -> they are reachable via vpn).
3) one for the internal dns domain of the isp router (so I don't have to use ip-addresses to connect to the webfrontend).
Everythink works just fine, but the cpu usage is permanently at 100% (even if no one is at home!).
Due to the fact, that this is a homeoffice setup, I have no fancy policies configured.
The only difference to other similar setups is the use of the "local" dns database and the dns database for the isp router.
If I remove the dns database for the isp router, the CPU usage drops to ~2%.
But I don't understand why. Can someone explain to me why this is happening?
Regards Rene ---
[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]
Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.