Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
herzogk
Staff
Staff

Created on ‎11-26-2024 03:52 AM

Article Id 360126

Technical Tip: Change DNS over TCP Certificate DNS Proxy Presents to Clients

Description This article describes how to change the certificate FortiOS presents to clients utilizing DoT.
Scope FortiOS v7.0,7.2,7.6.
Solution

For administrators utilizing a FortiGate to proxy DNS over TCP requests, it may be desired to modify the certificate FortiOS presents to clients in case the users are configured to check this.

 

Example Standard Configuration:

 

config system dns
    set primary 8.8.8.8
    set secondary 1.1.1.1
    set protocol cleartext dot
    set ssl-certificate "custom-certificate"
end

 

Note that 'ssl-certificate' will only be used by FortiOS as the client certificate when communicating with the DNS server. It will not change the certificate presented to a client in case of a DNS proxy.

This can be validated. Assuming an interface listening for DNS requests on the address 10.1.1.1 :

 

user@server:~ $ openssl s_client 10.1.1.1:853
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGT61ETK11224433, emailAddress = support@fortinet.com
verify return:1

.....

 

The correct place to change this would be:

config web-proxy global -> ssl-cert.

 

FortiGate (global) # show
config web-proxy global
    set ssl-cert "custom-certificate" <-----
end

 

After this modification, the change can be validated:

 

user@server:~ $ openssl s_client 10.1.1.1:853
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = DE, ST = Hessen, L = Frankfurt, CN = customer-cert.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = DE, ST = Hessen, L = Frankfurt, CN = customer-cert.com
verify return:1
depth=0 C = DE, ST = Hessen, L = Frankfurt,  CN = customer-cert.com
verify return:1
---

 

Note:

config web-proxy global -> ssl-cert.

This certificate overlaps with the certificate FortiOS presents for the authentication portal. There is no separate certificate at this time and may be changed in a future update.
Labels:
172
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.