Description
This article explains the System DNS Server functionality.
Related document.
https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/780581/dns
Solution
Focus on the following setup:
# config system dns
set primary <ip_address>
set secondary <ip_address>
By default, FortiGate uses FortiGuard's DNS servers:
- Primary: 208.91.112.53.
- Secondary: 208.91.112.52.
Clearly, these servers can be changed.
By design, the DNS requests are sent to the server with the lowest latency of the two (for example Primary).
Only when the Primary server (best response time) does not respond, the second one configured is used.
If the latency is similar, the Primary server is used.
However, if the Primary server returns an error (ie. Name not found), the FortiGate does not send a request to the Secondary server (second best latency).
It often happens that the latency between these servers is changing, and the resolution results may differ.
As long as public servers are used with very similar DNS database (assuming it was not synchronized yet), there should be no problem. But if local DNS servers are used, one must make sure their name database is the same (TIP: do not use one server for local domains and another server for public domains. Only one of them is receiving the queries).
In certain cases, this is known to work.
This happens because the DNS response has been cached before on the FortiGate and the client receives this cached response.
But when the DNS server in use (lowest latency) does not have the IP for given domain, and that IP is also not present in the cache of FortiGate, then a '504 DNS lookup error' is shown in the browser.
