Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kumarmt
New Contributor II

Fortigate Disable FQDN resolving for default sites

 

Hello

 I am reaching out to seek assistance regarding high traffic and cost issues stemming from frequent Fully Qualified Domain Name (FQDN) resolution on our FortiGate 80F device. Our network relies on Satellite internet with a pay-as-you-use model.

In light of this, I am exploring options to either stop or significantly reduce the time taken by the FortiGate system to perform DNS resolutions.

To provide additional context, I have undertaken the following troubleshooting steps:

  1. Deletion of Default Addresses: I have removed default addresses from the FortiGate device; however, the changes do not persist. Default addresses, including those for well-known domains such as "google.com" and "microsoft," continue to reappear.

  2. Configuration Checks: I have thoroughly reviewed and adjusted configurations related to DNS filters, security profiles, firewall policies, and system settings.

Given the persistence of the issue, I would appreciate any guidance or recommendations you can provide to optimize FQDN resolution on our FortiGate 80F.

5 REPLIES 5
srajeswaran
Staff
Staff

Are you looking for a method to stop Fortigate sending DNS resolution requests? For all domains or Specific domains?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

kumarmt
New Contributor II

Dear Suraj,

We would like to restrict DNS resolution requests to only a few specified hosts and disable resolution for default hosts like google.com and microsoft.com. Upon inspecting the packets from our Fortigate, it seems to be sending DNS queries every 2-3 seconds.

Please let me know if there is any method to reduce DNS query.

 

AEK
Honored Contributor

Hello

I think you just need to setup a local central DNS server:

  • Configure all clients (including FGT) to send queries to your DNS server (including FGT)
  • Only local DNS server sends DNS queries to Internet
  • Configure DNS cache for 1h

This will certainly optimize the amount of DNS requests to Internet and reduce response time.

AEK
AEK
kumarmt
New Contributor II

@AEK 
Thank you

I will try to setup local DNS server and test. 

hbac
Staff
Staff

Hi @kumarmt,

 

You can follow this article to increase fqdn-cache-ttl. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-the-FQDN-nbsp-default-nbsp-...

 

Regards, 

Top Kudoed Authors