This article describes that if DNS is enabled over TLS with default 'Fortinet_Factory', DNS Filter Rating Servers work fine.

But if is selected with any other third party certificate, DNS Filter Rating Servers would be 'Unreachable'.

Below is the log for DNS rating:

2022-09-14 15:05:18 [worker 0] _dns_tcps_conn_rating_write()-477: domain= buf=0x7f05f4f2bc40 sz=112 off=0
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_read()-617: from 0.0.0.0:0 mode=0 vfid=0 status=5
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_read()-625: buf=0x7f05f4fb23c8 off=0 pkt=0x7f05f4fb23c8 pkt_off=0 pkt_sz=0
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_read()-640: remote host closed connection  <-----
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_close()-362: close connection from 0.0.0.0:0 to 173.243.140.53:853 mode=0 vfid=0
2022-09-14 15:05:19 [worker 0] dns_retransmit_func()-1649: jiffies=1064544992 created=1064543844 wait_cat=1 wait_res=0 profile=
last_tx=0 ftg_last_tx=0 domain= (orig id: 0x1203 local id:0x1203 active)

It shows the FortiGuard DNS server closed the connection of DNS over TLS (DoT) requests on port 853.

This is normal behavior as the authentication is against FortiGuard servers and the connection will be refused if a certificate without the SN of the FortiGate is used.

To resolve this, use a default FortiGate certificate.


From the CLI:

config system dns
    set ssl-certificate "Fortinet_Factory"
end