Description
This article describes how to Configure DNS over TLS on Fortigate with 3rd Party Global DNS.
Scope
FortiGate v 7.0.4 and later.
Solution
Traditional DNS queries and responses are sent over UDP or TCP without encryption.
This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering)
DNS-over-TLS improves privacy and security between clients and resolvers. When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS traffic.
The FortiGuard DNS server certificates are signed with the globalsdns.fortinet.net hostname by a public CA.
The FortiGate verifies the server hostname using the server-hostname setting.
The server-hostname actually specifies a match for the remote DNS server's certificate's domain name in Subject or SAN. (Leaving it empty disables matching.)
Default configuration when Fortiguard DNS is used:
# config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol dot
set server-hostname "globalsdns.fortinet.net"
end
When configuring Google DNS:
# config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set protocol dot
set server-hostname "dns.google"
end
When it is toggled from Use Fortiguard DNS to Specify in the DNS configuration, it does not change any configuration in the DNS setting, so the DNS server will still be 96.xx also the server hostname will be globalsdns.fortinet.net.
Generally, The user misses changing the server hostname and only change the DNS to 8.8.8.8 and that causes DNS Unreachable because the server is 8.8.8.8 & server-hostname is globalsdns.fortinet.net and the hostname is not matching in the server certificate.
DNS is reachable when the server is 8.8.8.8 & server-hostname is dns.google as it is matching the server certificate.
Similarly, if any other DNS server is being used with dot or doh protocol it will be necessary to specify the server hostname as per the provider, if not configured the certificate match will be disabled and the connection will be vulnerable to eaves-dropping, and spoofing
Verifying the connection:
iron-kvm45 # diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
8.8.8.8:853 vrf=0 tz=0 encrypt=dot req=3 to=0 res=3 rt=8 ready=1 timer=0 probe=0 failure=0 last_failed=0
8.8.8.8:443 vrf=0 tz=0 encrypt=doh req=2 to=0 res=2 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
8.8.4.4:853 vrf=0 tz=0 encrypt=dot req=1 to=0 res=1 rt=5 ready=1 timer=0 probe=0 failure=0 last_failed=0
8.8.4.4:443 vrf=0 tz=0 encrypt=doh req=2 to=0 res=2 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
ALT servers:
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=8 udp_c=19:20 ha_c=24 unix_s=9, unix_nb_s=25, unix_nc_s=10
v6_udp_s=7, v6_udp_c=22:23, snmp=26, redir=15, v6_redir=16
DNS FD: tcp_s=11, tcp_s6=12, redir=28 v6_redir=29
DNS UNIX FD: dnsproxy_un=30
FGD_DNS_SERVICE_LICENSE:
FGD_CATEGORY_VERSION:9
SERVER_LDB: gid=6dba, tz=60, error_allow=0
FGD_REDIR_V4:FGD_REDIR_V6:
Related documents:
https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/42181
https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-over-TLS-configuration/ta-p/193830
https://developers.google.com/speed/public-dns/docs/dns-over-tls
