Technical Tip: FortiGuard (96.45.45.45, 96.45.46.46) DNS over TLS not working on FortiOS v7.4.10/v7.4.11/v7.4.12

Description

This article describes the issue and the workaround for DNS over TLS, showing as unreachable since 10:30 AM PDT on May 27 2026.

Scope

 FortiOS v7.4.10/v7.4.11/v7.4.12.

Solution

The mentioned FortiOS version could be impacted with the following symptom, where FortiGuard DNS servers are showing as unreachable when the DNS over TLS protocol is used:

The issue is currently under investigation, and the following workaround can be applied:

Workaround 1: Change the DNS protocols to plaintext (UDP/53).

If UDP/53 is grayed out in the GUI, select 'Specify' in the DNS servers option. This will enable changing the DNS Protocols. Enable 'UDP/53' and select 'Apply.'

Alternatively, use the below CLI command.

config system dns
set protocol cleartext
end

Workaround 2: Use other public DNS such as 8.8.8.8, 8.8.4.4, 1.1.1.1.

Workaround 3: Verify if the certificate bundle is on version 1.00064:

If the version matches, download the DigiCert High Assurance EV Root CA from the DigiCert portal and import it into FortiGate trusted certificate: DigiCert Trusted Root Authority Certificates.

FGVMSLTM26004266 (global) (Interim)# diagnose autoupdate versions | grep "Certificate Bundle" -A 2
Certificate Bundle
---------
Version: 1.00064

If it still does not work, add the following config

```
config system dns-database
    edit "1"
        set domain "digicert.com"
        config dns-entry
            edit 1
                set hostname "ocsp"
                set ip 23.11.32.159
            next
        end
    next
end

Workaround 4: Another possible workaround is to upgrade to 7.6.6/7.6.7, in which versions, the FortiGuard SDNS servers are reachable over TLS (TCP/853).

Related articles:

• Technical Tip: DNS over TLS (DoT) with 3rd Party Global DNS (Google DNS)

• Troubleshooting Tip: Using Cloudflare DNS with DNS over TLS showing as unreachable