Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dan_newcombe
New Contributor

Slow DNS resolution due to DNS Filter

I noticed in the last few weeks that Chrome would pause a lot with "Resolving Host...".  Of course, I blamed Chrome, addons, my machine, etc.   

 

But eventually I realized it wasn't me.  Our DNS servers were seeing this slowness.  Occasionally nslookup would timeout with the DNS server not returning a response in time, because it wasn't receiving one in time. What I finally tracked it down to is our Fortigate.  We have DNS filtering turned on for our Internet policy, and are using category filtering.   Once I turned that off, everything returned to normal fast operation, including no slowness with nslookup/dig. Is this normal when this filter is enabled?   Our DNS servers are set to use Google's DNS as their forwarders.  Don't know if it would help to change that to something else making it easier for Fortigate to see the requests faster. Thanks

6 REPLIES 6
ThunderSpartan
New Contributor

We were having this issue as well, and thanks to your post I turned off the “FortiGuard category based filter” on the DNS filter, and our page loading is much better, we would get time-outs at times loading pages and I have been making changes to our DNS to try and resolve. Hopefully one of the gurus on this forum can explain. Thanks
bbahes

We also had this problem ever since I turned on DNS Filter. I had to change option "Use Fortiguard servers" to Specify and use DNS servers provided by our ISP.

dan_newcombe

We were already using our own DNS servers.  I mean to come back and followup.  Basically, about a week after my original post everything just starting working fine again.   Ah...Internet....

adamsieting

We're getting this same issue. We have been getting a lot of timed out request and if I bi-pass the DNS filter everything works fine. We also do not use Fortinets DNS servers. The box doing our filtering is a 1500D and there's no issues with resources I can see. My only theory is the Fortiguard service is being slow to respond. Anyone try checking the "Allow DNS requests when a rating error occurs" option to see if it helps?

 

Running 5.6.3

adamsieting

Support said there is a known bug for our platform with no fix ATM. They're verifying this is the issue.

Nicholas_Doropoulos

Hi all,

 

As a best practice, Fortinet recommends that the local ISP's DNS servers are used for faster name resolutions. 

 

In addition, it is also worth considering to change the FortiDNS server your Fortigate is pointing to. You can use the default FortiDNS server located in Sunnyvale, USA (IP address208.91.112.220), or you can switch to the server in London, UK (IP address 80.85.69.54) to see if it improves latency. To switch between the two, you can run the following commands:

 

config system fortiguard

 set sdns-server-ip [ip address of the FortiDNS server you wish to switch to]

end

 

Failing that, feel free to run a packet capture next time this issue occurs with the following command:

 

diag sniffer packet any 'port 53' and 'host destination-ip-address' 4

 

Then simply post the output on this forum so we can assist you further.

 

I hope that helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors