Skip to main content
rejeeshr
Staff
rejeeshr
Staff
June 3, 2026

Technical Tip: Configure Multiple DNS Servers over TLS for Redundancy

  • June 3, 2026
  • 0 replies
  • 185 views

Description


This article describes how to configure multiple DNS servers over TLS on FortiGate for DNS redundancy.


Using only one DNS provider may create a single point of failure. If that provider has an outage or connectivity issue, DNS resolution may be affected. FortiGate can be configured with multiple DNS servers from different providers using DNS over TLS (DoT).


When using different providers, the correct DNS server hostname must be configured for TLS certificate validation.


Scope


FortiGate v7.0.4 and later.


Solution


DNS over TLS uses TCP port 853 and encrypts DNS queries between FortiGate and the DNS resolver.


In this example, FortiGate is configured with three DNS providers:

Provider

DNS Server

DoT Hostname

Fortinet DNS

96.45.45.45

globalsdns.fortinet.net

Google DNS

8.8.8.8, 8.8.4.4

dns.google

Cloudflare DNS

1.1.1.2

1dot1dot1dot1.cloudflare-dns.com


Configuration:

config system dns
    set primary 96.45.45.45
    set secondary 8.8.8.8
    set protocol dot
    set ssl-certificate Fortinet_Factory
    set server-hostname "globalsdns.fortinet.net" "dns.google" "1dot1dot1dot1.cloudflare-dns.com"
    set server-select-method least-rtt
    set alt-primary 1.1.1.2
    set alt-secondary 8.8.4.4
end


Important note:

When using DoT with multiple DNS providers, add the required hostname for each provider under 'server-hostname'.


Example:

set server-hostname "globalsdns.fortinet.net" "dns.google" "1dot1dot1dot1.cloudflare-dns.com"


If the hostname is missing or incorrect, the TLS handshake may fail because the DNS server certificate cannot be validated.


Verification:


Run:

diagnose test application dnsproxy 3


Example output:

DNS servers:
96.45.45.45:853 vrf=0 tz=0 encrypt=dot req=7 to=3 res=4 rt=1 ready=1
8.8.8.8:853 vrf=0 tz=0 encrypt=dot req=9 to=1 res=8 rt=1 ready=1

ALT servers:
1.1.1.2:853 vrf=0 tz=0 encrypt=dot req=3 to=0 res=3 rt=1 ready=1
8.8.4.4:853 vrf=0 tz=0 encrypt=dot req=3 to=0 res=3 rt=1 ready=1


Conclusion:


Multiple DNS servers over TLS improve DNS service redundancy. When using different DNS providers, always configure the correct DoT hostname for each provider to ensure successful TLS certificate validation.


Related documents:

DNS over TLS and HTTPS | FortiGate / FortiOS 7.0.0 | Fortinet Document Library

      Terms & ConditionsAccessibility statement