Fortigate firewalls do inspect the data stream. This is also true for DNS (Domain Name Service).
Sometimes you will see the error: “Deny: DNS error” in the logs
Having a closer look will show:
First of all you will see in the detailed logs in the fields threats and threattyps in both cases “failed-connection”. This is highly misleading.
Fortigate does inspect the DNS flow. The error “Deny: DNS error” means, that the response had a different flag set then “NOERROR”.
If there was a real connection problem, the error would be: “Deny: IP connection error“. This means, a packet was sent to the server, but the Fortigate never saw a response.
In simple words:
“Deny: DNS error“: A response comes back from the DNS server. The Fortigate interprets the content of the answer as faulty.
“Deny: IP connection error“: In this case a packet was sent to the server, but a response has never been seen by the Fortigate.
A knowledge base article exists to clarify this subject: ⇒https://kb.fortinet.com/kb/documentLink.do?externalID=FD39982