FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 228961
Description This article describes how to change the DNS protocol used by FortiGate to initiate DNS requests.
Scope FortiOS.
DNS over TLS (DoT) is a security protocol that encrypts and encapsulates DNS requests and responses using the TLS protocol by default. DoT protects user privacy and security by preventing eavesdropping and DNS data modification through man-in-the-middle attacks.

over HTTPS (DoH) is a similar mechanism for providing DNS resolution over a secure HTTPS connection. 
DoT and DoH are supported explicitly, with the FortiGate acting as an explicit DNS server listening for DoT and DoH queries. 
Local-out DNS traffic is also supported through TLS and HTTPS.
Cleartext protocol makes use of DNS over UDP port 53 and DNS over TCP port 53. 
The request and response would be in text form, not encrypted and not intended to be encrypted once transmitted.

To configure DNS in the CLI, run the following:
# config system DNS
    (dns) # set protocol 
    cleartext DNS over UDP/53, DNS over TCP/53.
    dot DNS over TLS/853.
    doh DNS over HTTPS/443.
DNS configuration in the GUI:


- It is possible to enable all protocol options together.
- At least one protocol must be selected.
- Utilizing DNS over TLS or HTTPS protocol enables the option to set values for SSL certificate and Server hostname.
      ssl-certificate = Name of local certificate for SSL connections.
      server-hostname = DNS server host name list.
- Before enabling DOT or DOH, one needs to ensure that these are supported by the DNS servers which are in use.
If a server does not support these protocols, the DNS server will drop these DNS packets. It is also possible to observe that
the latency status of the DNS servers appears high and sometimes unreachable.