Technical Tip: Changing the DNS protocol used by FortiGate to initiate DNS requests
| Description | This article describes how to change the DNS protocol used by FortiGate to DNS. |
| Scope | FortiGate. |
| Solution | DNS over TLS (DoT) is a security protocol that encrypts and encapsulates DNS requests and responses using the TLS protocol by default. DoT protects user privacy and security by preventing eavesdropping and DNS data modification through man-in-the-middle attacks. DNS over HTTPS (DoH) is a similar mechanism for providing DNS resolution over a secure HTTPS connection. DoT and DoH are supported explicitly, with the FortiGate acting as an explicit DNS server listening for DoT and DoH queries. Local-out DNS traffic is also supported through TLS and HTTPS. Clear-text protocol makes use of DNS over UDP port 53 and DNS over TCP port 53. The request and response would be in text form, not encrypted, and not intended to be encrypted once transmitted. To configure DNS in the CLI, run the following: config system dns (dns) # set protocol cleartext DNS over UDP/53, DNS over TCP/53. dot DNS over TLS/853. doh DNS over HTTPS/443. end DNS configuration in the GUI: 
Note:
ssl-certificate = Name of local certificate for SSL connections. server-hostname = DNS server hostname list.
If a server does not support these protocols, the DNS server will drop these DNS packets. It is also possible to observe that the latency status of the DNS servers appears high and sometimes unreachable. DoT/DoH is TLS-based, so set server-hostname to match the DNS server certificate (even if using an IP) and verify the FortiGate can reach the resolver on TCP/853 (DoT) or TCP/443 (DoH) with the upstream actually supporting that protocol. Related documents: |