Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dan_newcombe
New Contributor

Created on ‎02-08-2018 09:02 AM

Slow DNS resolution due to DNS Filter

I noticed in the last few weeks that Chrome would pause a lot with "Resolving Host...".  Of course, I blamed Chrome, addons, my machine, etc.   

 

But eventually I realized it wasn't me.  Our DNS servers were seeing this slowness.  Occasionally nslookup would timeout with the DNS server not returning a response in time, because it wasn't receiving one in time. What I finally tracked it down to is our Fortigate.  We have DNS filtering turned on for our Internet policy, and are using category filtering.   Once I turned that off, everything returned to normal fast operation, including no slowness with nslookup/dig. Is this normal when this filter is enabled?   Our DNS servers are set to use Google's DNS as their forwarders.  Don't know if it would help to change that to something else making it easier for Fortigate to see the requests faster. Thanks

25989
0 Kudos
6 REPLIES 6
ThunderSpartan
New Contributor

Created on ‎02-08-2018 01:58 PM

We were having this issue as well, and thanks to your post I turned off the “FortiGuard category based filter” on the DNS filter, and our page loading is much better, we would get time-outs at times loading pages and I have been making changes to our DNS to try and resolve. Hopefully one of the gurus on this forum can explain. Thanks
9426
0 Kudos
bbahes
New Contributor
In response to ThunderSpartan

Created on ‎03-15-2018 04:22 AM

We also had this problem ever since I turned on DNS Filter. I had to change option "Use Fortiguard servers" to Specify and use DNS servers provided by our ISP.

9426
0 Kudos
dan_newcombe
New Contributor
In response to bbahes

Created on ‎03-15-2018 05:29 AM

We were already using our own DNS servers.  I mean to come back and followup.  Basically, about a week after my original post everything just starting working fine again.   Ah...Internet....

9426
0 Kudos
adamsieting
New Contributor
In response to dan_newcombe

Created on ‎06-05-2018 02:24 PM

We're getting this same issue. We have been getting a lot of timed out request and if I bi-pass the DNS filter everything works fine. We also do not use Fortinets DNS servers. The box doing our filtering is a 1500D and there's no issues with resources I can see. My only theory is the Fortiguard service is being slow to respond. Anyone try checking the "Allow DNS requests when a rating error occurs" option to see if it helps?

 

Running 5.6.3

9426
0 Kudos
adamsieting
New Contributor
In response to adamsieting

Created on ‎06-06-2018 07:53 AM

Support said there is a known bug for our platform with no fix ATM. They're verifying this is the issue.

9426
0 Kudos
Nicholas_Doropoulos
Contributor
In response to adamsieting

Created on ‎06-17-2018 02:02 AM

Hi all,

 

As a best practice, Fortinet recommends that the local ISP's DNS servers are used for faster name resolutions. 

 

In addition, it is also worth considering to change the FortiDNS server your Fortigate is pointing to. You can use the default FortiDNS server located in Sunnyvale, USA (IP address208.91.112.220), or you can switch to the server in London, UK (IP address 80.85.69.54) to see if it improves latency. To switch between the two, you can run the following commands:

 

config system fortiguard

 set sdns-server-ip [ip address of the FortiDNS server you wish to switch to]

end

 

Failing that, feel free to run a packet capture next time this issue occurs with the following command:

 

diag sniffer packet any 'port 53' and 'host destination-ip-address' 4

 

Then simply post the output on this forum so we can assist you further.

 

I hope that helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
9426
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.