| Description |
This article describes that DNS (Domain Name System) typically uses UDP (User Datagram Protocol) for the transport layer protocol, particularly for its speed and efficiency with the small query and response sizes of most DNS requests. However, DNS will use TCP (Transmission Control Protocol) on port 53 in certain situations. For example, if a DNS response is too large to fit in a single UDP packet (512 bytes traditionally, or up to 4096 bytes with EDNS), the DNS server can indicate that the client should retry the query over TCP. This is necessary because TCP, unlike UDP, can handle larger payloads and split the data across multiple packets.
From RFC 7766: 'In addition, it is noted that all recursive and authoritative servers MUST send responses using the same transport as the query arrived on. In the case of TCP, this MUST also be the same connection'.
Related document: https://datatracker.ietf.org/doc/html/rfc7766#section-5
The DNS server on FortiGate is configured and by default the type is recursive:
The DNS setting on FortiGate is default 53 UDP:
When the end device sends unexpected TCP 53 traffic to FortiGate's internal interface IP (the DNS server on FortiGate), FortiGate will forward traffic as TCP 53 to the external DNS server.
On the WAN side, FortiGate is proxying the traffic to the FortiGuard DNS server.
This will cause high latency or even no reply from some external DNS servers due to unexpected traffic types. For details of how the DNS latency is calculated:
|
| Scope | FortiGate. |
| Solution |
To address the issue of FortiGate showing high latency, which is attributed to end users utilizing DNS over TCP for packets that cannot be supported by UDP due to their size, the end users should set their DNS settings to a server other than FortiGate. This change will ensure that FortiGate does not exhibit high latency.
Related document: Technical TIP : Different options of configuring DNS server on FortiGate |
