DNS filtering is a nice security feature from Fortinet, provided of course that it works.
As you can see in the screenshot below, the Fortiguard Rating servers are unreachable.
Chances are, if you are running a small network or a home lab that your are using your Fortigate as a DNS server too and, since you are security oriented, you have enabled DNS filtering on your interfaces, apart from enabling filtering on your Firewall Rules.
Starting from FortiOS v6.4, Fortinet introduced a feature called FortiGuard anycast to communicate with the servers. While in principle it is a good idea the result is that very often the FortiGuard servers are unreachable.
And if you have configured your Fortigate as your DNS, with DNS filtering on the interface, then you might end up with users complaining that they need to refresh two or three times before they can access a web site.
The solution to that is to disable the FortiGuard anycast feature.
To do that we need to go to CLI and check the configuration:
config system fortiguard
as you can see the feature is enabled. Let’s disable it.
set fortiguard-anycast disable
Also it is a good idea to set the port to UDP 8888 which is the default port the fortiguard servers and set the closest fortiguard server.
set protocol udp set port 8888 set sdns-server-ip "126.96.36.199"
You might want to set another fortiguard server, depending on your location.