I noticed in the last few weeks that Chrome would pause a lot with "Resolving Host...". Of course, I blamed Chrome, addons, my machine, etc.
But eventually I realized it wasn't me. Our DNS servers were seeing this slowness. Occasionally nslookup would timeout with the DNS server not returning a response in time, because it wasn't receiving one in time.
What I finally tracked it down to is our Fortigate. We have DNS filtering turned on for our Internet policy, and are using category filtering. Once I turned that off, everything returned to normal fast operation, including no slowness with nslookup/dig.
Is this normal when this filter is enabled? Our DNS servers are set to use Google's DNS as their forwarders. Don't know if it would help to change that to something else making it easier for Fortigate to see the requests faster.
We were having this issue as well, and thanks to your post I turned off the “FortiGuard category based filter” on the DNS filter, and our page loading is much better, we would get time-outs at times loading pages and I have been making changes to our DNS to try and resolve. Hopefully one of the gurus on this forum can explain.
We're getting this same issue. We have been getting a lot of timed out request and if I bi-pass the DNS filter everything works fine. We also do not use Fortinets DNS servers. The box doing our filtering is a 1500D and there's no issues with resources I can see. My only theory is the Fortiguard service is being slow to respond. Anyone try checking the "Allow DNS requests when a rating error occurs" option to see if it helps?
As a best practice, Fortinet recommends that the local ISP's DNS servers are used for faster name resolutions.
In addition, it is also worth considering to change the FortiDNS server your Fortigate is pointing to. You can use the default FortiDNS server located in Sunnyvale, USA (IP address220.127.116.11), or you can switch to the server in London, UK (IP address 18.104.22.168) to see if it improves latency. To switch between the two, you can run the following commands:
config system fortiguard
set sdns-server-ip [ip address of the FortiDNS server you wish to switch to]
Failing that, feel free to run a packet capture next time this issue occurs with the following command:
diag sniffer packet any 'port 53' and 'host destination-ip-address' 4
Then simply post the output on this forum so we can assist you further.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.