Skip to main content
esalija
Staff
esalija
Staff
February 18, 2026

Troubleshooting Tip: DNS unreachable when configured with DNS over TLS on FortiGate after upgarde to v7.4.10

  • February 18, 2026
  • 4 replies
  • 6090 views
Description This article describes a situation where the DNS is unreachable on the FortiGate firewall when it is configured with DNS over TLS, resulting in complete network downtime. The issue has been occurring after upgrade to v7.4.10 and v7.4.11.
Scope FortiGate.
Solution

To troubleshoot the DNS unreachable issue on the FortiGate, follow these steps: Go to Network -> DNS and verify that the DNS settings are correctly configured. Run these commands to diagnose the DNS issue:

 

diagnose debug disable
diagnose debug reset
diagnose debug console time enable
diagnose debug application dnsproxy -1
diagnose debug enable
execute ping service.fortiguard.net

 

Sample output:

 

2026-03-30 12:08:26 [worker 0] dns_local_lookup_common()-2575: vfid=1, real_vfid=1, view=2, qname=service.fortiguard.net, qtype=1, qclass=1, offset=40, map#=3 max_sz=5
12
2026-03-30 12:08:26 [worker 0] dns_lookup_aa_zone()-608: vfid=1, fqdn=service.fortiguard.net
2026-03-30 12:08:26 [worker 0] dns_send_request()-1492
2026-03-30 12:08:26 [worker 0] dns_send_resol_request()-1346: orig id: 0x0000 local id: 0x80fe domain=service.fortiguard.net
2026-03-30 12:08:26 [worker 0] dns_find_best_server()-652: found server: 96.45.46.46 (vfid=1 vrf=0)
2026-03-30 12:08:26 [worker 0] unix_receive_request_stub()-3545
2026-03-30 12:08:26 [worker 0] dns_unix_stream_packet_write()-287: vfid=1 real_vfid=1 vrf=0 id=0x80fe domain=service.fortiguard.net req_type=1 req=1
2026-03-30 12:08:26 [worker 0] dns_unix_stream_packet_write()-309: type=10 len=43 session_id=33022 flags=0
2026-03-30 12:08:26 [worker 0] dns_unix_stream_packet_read()-425: type=4 len=233 session_id=0 flags=0 dnsproxy_local_id==0x0000
2026-03-30 12:08:26 [worker 0] handle_unix_response()-110
2026-03-30 12:08:26 [worker 0] dns_query_handle_response()-2824: vfid=1 real_vfid=1 vrf=0 id=0x80fe domain=service.fortiguard.net pktlen=233
2026-03-30 12:08:26 [worker 0] dns_query_save_response()-2757: domain=service.fortiguard.net pktlen=233
2026-03-30 12:08:26 [worker 0] dns_set_min_ttl()-190: QR: service.fortiguard.net

 

Check the DNS server IP addresses and ensure they are reachable.

 

execute ping <IP_address>

 

Verify the DNS latency via CLI using the following command:

 

diagnose test application dnsproxy 2

    ........

    DNS latency info:

    vfid=0 server=96.45.46.46 latency=1 updated=130
    vfid=0 server=8.8.8.8 latency=2 updated=1566

 

If the issue persists, restart the DNS service.

 

execute dns service restart

 

Change from DNS over TLS to DNS plain-text is a valid workaround. 

 

config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol cleartext
    set server-hostname "globalsdns.fortinet.net"
end

 

The symptom of this reported issue is that DNS-over-TLS does not work after the upgrade to v7.4.10 or v7.4.11. The known issue is scheduled to be fixed in v7.4.12.

 

Note: This only affects system DNS traffic originating from the FortiGate itself. If a DNS issue is present from users behind the FortiGate, it would be best to open a technical ticket for further troubleshooting.

 

Related articles:

Technical Tip: Clarifying differences between 'diagnose test application dnsproxy 2' information in the CLI and the GUI

Technical Tip: FortiGate Troubleshooting DNS commands

Troubleshooting Tip: DNS rating error occurs (no available FortiGuard SDNS servers)

Technical Tip: DNS server on FortiGate caused FortiGate DNS latency

    4 replies

    ram17
    ram17
    Explorer II
    June 1, 2026

    The command “execute dns service restart” does not exist in neither version.

    JNO
    JNO
    June 1, 2026

    We have a problem with DoT not working, I think it actually started with the 7.4.12 update.  The underlying issue is the FortiGate does not have the “DigiCert High Assurance EV Root CA” certificate in it’s trusted store, which is what the certificate chain for globalsdns.fortinet.net is signed with - just download the cert from DigiCert (https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt) and import the file as a CA Certificate and things will work again.

      Spawn
      Spawn
      Visitor III
      June 8, 2026

      this worked for me.Thanks for sharing mate!

      dve
      dve
      New Member
      June 2, 2026

      The same issue on 7.4.12, after changing the protocol from DoT to cleartext it slove the issue

      JNO
      JNO
      June 2, 2026

      I logged a ticket with Fortinet support, it’ll be fixed in an upcoming release (no version cited).

      Looks like they have an additional 2 workarounds for this issue cited at https://community.fortinet.com/fortigate-3/technical-tip-fortiguard-96-45-45-45-96-45-46-46-dns-over-tls-not-working-on-fortios-v7-4-10-v7-4-11-v7-4-12-227907 

      Terms & ConditionsAccessibility statement