Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mirza_Asad2723
New Contributor II

Created on ‎01-20-2025 12:20 AM

FortiGate DNS Status Showing in RED with High ms

Dear Concern,

 

I am using FortiGuard as the DNS server on my FortiGate, but today its status is showing as RED with high latency, as shown in the pasted capture.

 

Capture.JPG01.JPG

 

 

Previously, it was showing GREEN. Additionally, when I use Google's DNS like 8.8.8.8 or 8.8.4.4, it shows unreachable, as shown in pasted capture.

Capture.JPG02.JPG

 

I have checked the internet, and it is working perfectly with proper browsing through the same ISPs that are terminated on the firewall.

 

My Second Testing, When I use Google's DNS server on FortiGate, like 8.8.8.8 or 8.8.4.4, these IP addresses are pinging from the FortiGate CLI without any packet loss while in DNS Tab in FortiGate firewall showing unreachable as mentioned in above picture.

Capture.JPG04.JPG

 

However, when I ping a domain name like google.com, it doesn't work, meaning the DNS is not resolving.

Capture.JPG05.JPG

 

Then, when I bypass the FortiGate firewall and check by directly connecting the ISP link to my laptop, both the IP address and the domain name are pinging successfully.

 

Kindly help me diagnose and resolve this issue.

Labels:
535
0 Kudos
6 REPLIES 6
srajeswaran
Staff
Staff

Created on ‎01-20-2025 12:28 AM

Looks like the UDP port 53 communication is blocked.

Can you try changing to TCP and check?

image.png

Do you have any local-in policies configured?

show firewall local-in-policies

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
530
Mirza_Asad2723
New Contributor II
In response to srajeswaran

Created on ‎01-20-2025 08:26 PM

Dear Suraj,

 

Thanks for your response and suggestion

According to you, I noticed that UDP was disabled in the DNS protocol,

Capture.JPG06.JPG

 

so I enabled it.

Capture.JPG07.JPG

 

After that, 8.8.8.8 or 8.8.4.4 are no longer unreachable, but the latency is still varying between yellow and red, and the status hasn't turned green yet.

Capture.JPG08.JPG

 

Furthermore, can I enable TLS along with UDP since TLS is more secure?

Or is there any other alternative option that could resolve the latency issue while also utilizing a security protocol?

 

456
0 Kudos
srajeswaran
Staff
Staff
In response to Mirza_Asad2723

Created on ‎01-22-2025 03:50 AM

Now the issue is with network latency, can you ping 8.8.4.4 and check the latency ?
I am expecting similar latency, if thats the case its not a DNS issue but a network issue.

Can you also try the default fortiguard DNS servers ? 96.45.45.45

TLS and UDP DNS are 2 different settings and not working together.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
379
AEK
SuperUser
SuperUser

Created on ‎01-20-2025 01:26 AM

Hi Mirza

Do you have 2 IP addresses configured on your WAN interface?

If so then you should configure the right source-ip under "config system dns" command.

AEK
AEK
511
Mirza_Asad2723
New Contributor II
In response to AEK

Created on ‎01-20-2025 08:48 PM

Dear AEK,

 

Yes, secondary IP addresses are also defined on the WAN interface, meaning I have defined one IP address from the static IP address pool provided by the ISP on the WAN interface, and the remaining IP addresses are defined as secondary addresses on the same WAN interface.

 

I have checked, and there is no source IP defined in the 'config system dns'. Are you suggesting that I should define the IP address configured on the WAN interface as the source IP in 'config system dns'?

447
0 Kudos
AEK
SuperUser
SuperUser
In response to Mirza_Asad2723

Created on ‎01-21-2025 12:05 AM

Hi Mirza

Yes, try set the secondary IP as source IP under "config system dns".

After that, try "exec ping example.com" and it should work.

AEK
AEK
426
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.