Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanini
New Contributor

Fortinet DNS O365 Issues

FYI, it looks like Fortinet DNS servers are having issues with O365 today. Outlook web and desktop clients are providing invalid cert prompts for a cert that expired in 2010 for some non o365 URL. I opened a support case to Fortinet and they found that this appears to be a global issue with their DNS servers currently, regardless of the DNS protocol used. For now, we've adjusted DHCP to point to other public DNS servers to get customers working again.

10.0.0.0.1 192.168.1.254
2 REPLIES 2
kaman
Staff
Staff

Office 365 will return the ACDC closer to the IP that made the DNS query.

So if your query goes to Google DNS (8.8.8.8) or FortiGuard DNS (96.45.45.45) in the same country, the result will be different because the DNS servers will forward the query from different countries.

A best practice from Microsoft is to use the DNS servers from the ISP provider, so the queries are made from the same country that we are trying to connect to. This will ensure that Outlook will connect to the nearest Microsoft available zone with less latency.
There are some articles that you can read, that explain this.
https://c7solutions.com/2017/10/office-365-and-acdc
https://www.msxfaq.de/cloud/verbindung/o365-dnsrouting.htm

I believe that the best approach is to use the DNS from your ISP provider or a DNS server from your country.
You can change the interface DHCP settings from "Same as Interface IP" to "Specify" and put the DNS there.
In the FortiGate DNS, you can still use the FortiGuard DNS servers.

travuselm
New Contributor II

Some notes online about the Fortinet DNS.

As discussed this DNS issue is related to the Bug ID 0898560

 

https://www.reddit.com/r/fortinet/comments/yuu50t/dns_issues_while_using_fortinet_dns_servers/

 

https://community.fortinet.com/t5/Support-Forum/FortiGuard-DNS-issue/td-p/263269

 

 

Thank you for contacting us.

The issue described in ticket ###### is a known one and is currently under investigation
A temporary solution is to clear the DNS cache. We are still looking into the root cause.

Kind regards,

Top Kudoed Authors