Skip to main content
MigenaM
Staff
MigenaM
Staff
February 5, 2026

Technical Tip: Encryption modes for FortiGuard SDNS servers

  • February 5, 2026
  • 0 replies
  • 272 views
Description This article describes the different encryption modes for FortiGuard SDNS servers and the changes that need to be made.
Scope FortiGate, SDNS servers.
Solution

Two scenarios should be considered for this case to change the encryption mode for the FortiGuard SDNS servers.

 

  • In scenario 1, the configuration under FortiGuard is as follows:

 

show full-configuration system fortiguard
config system fortiguard
    set fortiguard-anycast disable
    set protocol https
    set port 443

    ...........

    set sdns-server-ip "96.45.45.45"
    set sdns-server-port 853

 

The behavior seen is:

 

diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
96.45.45.45:53 vrf=0 tz=0 encrypt=none req=5325 to=169 res=5066 rt=27 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:53 vrf=0 tz=0 encrypt=none req=10451 to=131 res=10294 rt=9 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
96.45.45.45:853 vrf=0 tz=-480 encrypt=none req=0 to=0 res=0 rt=0 ready=1 timer=8 probe=3 failure=0 last_failed=0

 

From the logs above, it is clear that the encryption for the SDNS servers is set to none.

The reason for this is that anycast is set as disabled, and this is the expected behavior.

 

  • In scenario 2, the configuration under FortiGuard is as follows:

 

show full-configuration system fortiguard
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
    ...........
    set anycast-sdns-server-ip 0.0.0.0
    set anycast-sdns-server-port 853

 

The encryption for SDNS servers is now set to DoT:

 

diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
96.45.45.45:53 vrf=0 tz=0 encrypt=none req=5308 to=169 res=5049 rt=19 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:53 vrf=0 tz=0 encrypt=none req=10438 to=131 res=10281 rt=20 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
173.243.140.53:853 vrf=0 tz=-480 encrypt=dot req=1 to=0 res=1 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
139.138.105.53:853 vrf=0 tz=-480 encrypt=dot req=0 to=0 res=0 rt=3 ready=1 timer=0 probe=0 failure=0 last_failed=0
ALT servers:

 

In this scenario, the anycast is enabled, and the traffic is encrypted. 

 

As a conclusion, to be able to use encryption DoT for the SDNS servers, the anycast option is required to be enabled, and 'set anycast-sdns-server-port 853', instead of cleartext.

 

Additional useful diagnostics

View current anycast and SDNS settings:

 

get system fortiguard  

 

Shows FortiGuard rating server connectivity and resolved SDNS IPs:


diagnose debug rating 

 

For deeper DNS proxy/SDNS query debugging:


diagnose debug application dnsproxy -1 

diagnose debug enable  

 

To stop debug:

 

diagnose debug disable
    Terms & ConditionsAccessibility statement