Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Oscar_Wee
Staff
Staff

Created on ‎12-15-2025 10:35 PM Edited on ‎12-15-2025 10:35 PM By Staff

Article Id 422615

Technical Tip: DNS over TLS (DoT) mitigates 'Secure Client-Initiated Renegotiation' or 'Client-initiated Renegotiations'

Description This article explains why DNS over TLS (DoT) is able to mitigate 'Secure Client-Initiated Renegotiation' or 'Client-initiated Re-negotiations'.
Scope FortiGate.
Solution

DoT is not vulnerable.jpg

 

DNS over TLS (DoT) is not intrinsically susceptible to the legacy SSL/TLS client-initiated renegotiation vulnerability, as its reliance on TLS 1.2 or 1.3 ensures the use of protocol-level controls that either substantially mitigate or entirely preclude this attack vector.


Rate Limiting:

Contemporary DoT servers and modern TLS stacks typically enforce stringent rate-limiting controls on renegotiation handshakes—assuming the mechanism is enabled at all—which substantially reduces the feasibility of renegotiation-based DoS vectors.


Consequently, while this vulnerability may still be present in legacy or misconfigured SSL/TLS deployments, current DoT implementations are architected to provide robust protection against such exploitation.

 

Hence, the 'Secure Client-Initiated Renegotiation' vulnerability report on DNS over TLS (DoT) is a false positive.
75
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.