Technical Tip: High latency on FortiGuard DNS servers

FortiGate.

Starting from firmware v7.0 onwards, the 'Use FortiGuard Servers' DNS will be using DNS over TLS by default, but some of the sites will have high latency even unreachable to FortiGuard DNS.

Note:

In some cases, it shows high latency or unreachable, as some known DNS servers don't support DNS over TLS. Some Internet Service Providers (ISPs) still use traditional DNS without encryption.

The DNS Protocols will be greyed out on GUI as shown below:

To change the different methods to reach FortiGuard DNS, for example, change default TLS(TCP/853) to DNS (UDP/53), it is possible to change using the CLI command below:

config system dns
    set protocol cleartext  <----- Default is dot (DNS over TLS).

end

Note:
The protocol can be changed via the GUI. Switch DNS servers from 'Use FortiGuard Servers' to 'Specify', and the DNS protocols option will be available to choose from.

If required, it is also possible to use the alternate FortiGuard DNS servers. However, these will offer no TLS/HTTPS support and will only support the cleartext DNS protocol: 208.91.112.53, 208.91.112.52.