Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Erik-dft
New Contributor

Created on ‎03-09-2022 09:30 AM

(S)DNS server slow - users getting SSL errors

Has anyone else had any issues with site using the DNS filters?  I have a few different sites, with different version of the firewall, all getting the same random error.  

 

Users are complaining that they get a SSL error on sites that should work (even outlook gets errors).  When we look at the cert, its a @*.fortinet  cert.   So looks like some type of re-direct is happening.

 

In the logs (DNS) I see errors that SDNS is not responding.  

 

When I hit the DNS tab under networking, the primary DNS server (96.45.45.45) is red with a time of 10,470ms.

 

Anyone else seeing anything similar?  For now I've turned of DNS filter to see if that helps.dns-small.jpg

 

 

 

Labels:
1866
0 Kudos
3 REPLIES 3
vtsonev
Staff
Staff

Created on ‎03-10-2022 07:26 AM

Hello Erik,

 

There is currently ongoing investigation for the same topic. (high latency on our new DNS servers) . By design DNS over TLS (port 853) is expected to have higher latency than the plain DNS traffic or ICMP for example, but it shouldn't reach higher values, like in your case. (above 10,000ms)

 

Meanwhile you can use the following as a workaround :

 

config system dns
set primary 8.8.8.8
set protocol dot
set server-hostname "dns.google"
end

 

Can you also upload a sample of the SSL error logs that you see. I guess you would find them in the forward traffic logs on your Fortigate.

 

Best regards,

Vasil

 

Fortinet Technical Team Lead
NSE 1-4,7 Certified
1800
0 Kudos
vitor-simoes
New Contributor
In response to vtsonev

Created on ‎08-11-2022 11:49 AM

I have the same issue, but your solution wont work for me. Only Fortiguard as DNS servers are working in my case.

1401
0 Kudos
vitor-simoes
New Contributor

Created on ‎08-11-2022 11:48 AM

Hey Buddy, i have the same situation happening after a firmware update to 7.2.0. Not only system DNS is showing a very high latency but for some reason i cant use other public DNS i have to keep fortiguard as DNS Server otherwise the box stop resolving names. Also using the fortigate as a DNS server became impossible, name resolutions are very slow or not happening at all.

Now using google DNS in workstations helped but now and then we are having random DNS errors and pressing F5 the site opens. Just crazy.

Dont really know what to do at the moment.


1401
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.