Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kumarmt
New Contributor II

Created on ‎11-20-2023 02:42 AM

Fortigate Disable FQDN resolving for default sites

 

Hello

 I am reaching out to seek assistance regarding high traffic and cost issues stemming from frequent Fully Qualified Domain Name (FQDN) resolution on our FortiGate 80F device. Our network relies on Satellite internet with a pay-as-you-use model.

In light of this, I am exploring options to either stop or significantly reduce the time taken by the FortiGate system to perform DNS resolutions.

To provide additional context, I have undertaken the following troubleshooting steps:

  1. Deletion of Default Addresses: I have removed default addresses from the FortiGate device; however, the changes do not persist. Default addresses, including those for well-known domains such as "google.com" and "microsoft," continue to reappear.

  2. Configuration Checks: I have thoroughly reviewed and adjusted configurations related to DNS filters, security profiles, firewall policies, and system settings.

Given the persistence of the issue, I would appreciate any guidance or recommendations you can provide to optimize FQDN resolution on our FortiGate 80F.

Labels:
2037
0 Kudos
5 REPLIES 5
srajeswaran
Staff
Staff

Created on ‎11-20-2023 03:25 AM

Are you looking for a method to stop Fortigate sending DNS resolution requests? For all domains or Specific domains?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
2024
kumarmt
New Contributor II
In response to srajeswaran

Created on ‎11-20-2023 04:12 PM

Dear Suraj,

We would like to restrict DNS resolution requests to only a few specified hosts and disable resolution for default hosts like google.com and microsoft.com. Upon inspecting the packets from our Fortigate, it seems to be sending DNS queries every 2-3 seconds.

Please let me know if there is any method to reduce DNS query.

 

1985
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎11-20-2023 04:31 AM

Hello

I think you just need to setup a local central DNS server:

  • Configure all clients (including FGT) to send queries to your DNS server (including FGT)
  • Only local DNS server sends DNS queries to Internet
  • Configure DNS cache for 1h

This will certainly optimize the amount of DNS requests to Internet and reduce response time.

AEK
AEK
2011
kumarmt
New Contributor II
In response to AEK

Created on ‎11-20-2023 04:18 PM

@AEK 
Thank you

I will try to setup local DNS server and test. 

1984
0 Kudos
hbac
Staff
Staff

Created on ‎11-20-2023 08:40 AM

Hi @kumarmt,

 

You can follow this article to increase fqdn-cache-ttl. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-the-FQDN-nbsp-default-nbsp-...

 

Regards, 

1996
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.