Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎11-04-2022 10:24 AM Edited on ‎02-13-2025 09:53 PM By Community Manager

Article Id 228961

Technical Tip: Changing the DNS protocol used by FortiGate to initiate DNS requests

Description This article describes how to change the DNS protocol used by FortiGate to initiate DNS requests.
Scope FortiGate.
Solution
DNS over TLS (DoT) is a security protocol that encrypts and encapsulates DNS requests and responses using the TLS protocol by default. DoT protects user privacy and security by preventing eavesdropping and DNS data modification through man-in-the-middle attacks.

DNS over HTTPS (DoH) is a similar mechanism for providing DNS resolution over a secure HTTPS connection. 
DoT and DoH are supported explicitly, with the FortiGate acting as an explicit DNS server listening for DoT and DoH queries. 
Local-out DNS traffic is also supported through TLS and HTTPS.
 
Cleartext protocol makes use of DNS over UDP port 53 and DNS over TCP port 53. 
The request and response would be in text form, not encrypted and not intended to be encrypted once transmitted.

 
To configure DNS in the CLI, run the following:
 
config system dns
    (dns) # set protocol 
    cleartext DNS over UDP/53, DNS over TCP/53.
    dot DNS over TLS/853.
    doh DNS over HTTPS/443.
end
 
DNS configuration in the GUI:
 
akileshc_1-1667578743341.png

 

Note:
  • It is possible to enable all protocol options together.
  • At least one protocol must be selected.
  • Utilizing DNS over TLS or HTTPS protocol enables the option to set values for SSL certificate and Server hostname.

 

ssl-certificate = Name of local certificate for SSL connections.

server-hostname = DNS server hostname list.
 
  • Before enabling DOT or DOH, one needs to ensure that these are supported by the DNS servers that are in use.
 
If a server does not support these protocols, the DNS server will drop these DNS packets. It is also possible to observe that
the latency status of the DNS servers appears high and sometimes unreachable.
Labels:
10301
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.