I noticed in the last few weeks that Chrome would pause a lot with "Resolving Host...". Of course, I blamed Chrome, addons, my machine, etc.
But eventually I realized it wasn't me. Our DNS servers were seeing this slowness. Occasionally nslookup would timeout with the DNS server not returning a response in time, because it wasn't receiving one in time. What I finally tracked it down to is our Fortigate. We have DNS filtering turned on for our Internet policy, and are using category filtering. Once I turned that off, everything returned to normal fast operation, including no slowness with nslookup/dig. Is this normal when this filter is enabled? Our DNS servers are set to use Google's DNS as their forwarders. Don't know if it would help to change that to something else making it easier for Fortigate to see the requests faster. Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We also had this problem ever since I turned on DNS Filter. I had to change option "Use Fortiguard servers" to Specify and use DNS servers provided by our ISP.
We were already using our own DNS servers. I mean to come back and followup. Basically, about a week after my original post everything just starting working fine again. Ah...Internet....
We're getting this same issue. We have been getting a lot of timed out request and if I bi-pass the DNS filter everything works fine. We also do not use Fortinets DNS servers. The box doing our filtering is a 1500D and there's no issues with resources I can see. My only theory is the Fortiguard service is being slow to respond. Anyone try checking the "Allow DNS requests when a rating error occurs" option to see if it helps?
Running 5.6.3
Support said there is a known bug for our platform with no fix ATM. They're verifying this is the issue.
Hi all,
As a best practice, Fortinet recommends that the local ISP's DNS servers are used for faster name resolutions.
In addition, it is also worth considering to change the FortiDNS server your Fortigate is pointing to. You can use the default FortiDNS server located in Sunnyvale, USA (IP address208.91.112.220), or you can switch to the server in London, UK (IP address 80.85.69.54) to see if it improves latency. To switch between the two, you can run the following commands:
config system fortiguard
set sdns-server-ip [ip address of the FortiDNS server you wish to switch to]
end
Failing that, feel free to run a packet capture next time this issue occurs with the following command:
diag sniffer packet any 'port 53' and 'host destination-ip-address' 4
Then simply post the output on this forum so we can assist you further.
I hope that helps.
NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.