FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ChrisTan
Staff
Staff
Article Id 226513
Description

This article describes that if DNS is enabled over TLS with default 'Fortinet_Factory', DNS Filter Rating Servers work fine.

But if is selected with any other third party certificate, DNS Filter Rating Servers would be 'Unreachable'.

Scope FortiGate.
Solution

Below is the log for DNS rating:

 

2022-09-14 15:05:18 [worker 0] _dns_tcps_conn_rating_write()-477: domain= buf=0x7f05f4f2bc40 sz=112 off=0
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_read()-617: from 0.0.0.0:0 mode=0 vfid=0 status=5
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_read()-625: buf=0x7f05f4fb23c8 off=0 pkt=0x7f05f4fb23c8 pkt_off=0 pkt_sz=0
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_read()-640: remote host closed connection  <-----
2022-09-14 15:05:18 [worker 0] dns_tcps_conn_close()-362: close connection from 0.0.0.0:0 to 173.243.140.53:853 mode=0 vfid=0
2022-09-14 15:05:19 [worker 0] dns_retransmit_func()-1649: jiffies=1064544992 created=1064543844 wait_cat=1 wait_res=0 profile=
last_tx=0 ftg_last_tx=0 domain= (orig id: 0x1203 local id:0x1203 active)


It shows the FortiGuard DNS server closed the connection of DNS over TLS (DoT) requests on port 853.

 

This is normal behavior as only the Fortinet-CA issued FortiGuard servers trust certificates.

Contributors