If your Fortigate is configured to use the FortiGuard DNS Servers and some DNS queries are not being resolved see below what could be happening!
Consequences can be that FQDN address objects can not be resolved or a configured mail server can not be used anymore.
You can doublecheck this behaviour with the CLI:
# exec ping <dns-name>
Unable to resolve the hostname.
The reason for this is that the Fortiguard DNS server is enforcing the EDNS policies. EDNS stands for Extension Mechanisms for DNS and is used for expanding the DNS protocol (refer to the Wikipedia article).
To check if your domain is EDNS compliant you can use this EDNS Compliance Tester.
EDNS compliance issues are usually caused by outdated DNS software. Updating the DNS software on the authoritative servers should fix this issue.
As a temporary workaround, you can specify different DNS servers on your Fortigate.
Third-Party DNS’s freely available:
| Public Provider | DNS1 IPv4 | DNS2 IPv4 | DNS1 IPv6 | DNS2 IPv6 |
| 8.8.8.8 | 8.84.4 | 2001:4860:4860::8888 | 2001:4860:4860::8844 | |
| Cisco DNS Umbrella |
208.67.222.222 |
208.67.220.220 |
2620:119:35::35 |
2620:119:53::53 |
| Cloudfare | 1.1.1.1 | 1.0.0.1 | 2606:4700:4700::1111 | 2606:4700:4700::1001 |