Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.


DNS over TLS (DoT) on the Fortigate

Manny Fernandez

I recently wrote an article about the difference between DNS over HTTPS and DNS over TLS and the differences between the two.   Now as promised, I will show how to configure DoT.  Lets get started.

Requirements: FortiOS 6.2x

As stated above, you require 6.2x to configure this feature.


Here we can see the DNS over TLS is disabled, which is the default.


Here we can see a packet capture showing a standard DNS query.  As you see this traffic is UDP 53.


In the screenshot above, we can see that this is set up in Enforce mode which is Strict mode.  You will need to choose the certificate you want to use from the drop down.


With the Enable option here,  this is actually opportunistic mode.  In this mode, the client will attempt to make a TLS connection on port 853 and if it fails, it will fall back to the standard UDP 53.


Here you can see the packet capture after turning on DoT.  Notice it is using TCP and is using port 853.

DoH Blocking

If you want to block DNS over HTTPS, Fortinet has a application signature for it.

2019-11-19_22-46-10.pngCopy Link


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.