This article describes how to Configure DNS over TLS on Fortigate with 3rd Party Global DNS.
FortiGate v 7.0.4 and later.
Traditional DNS queries and responses are sent over UDP or TCP without encryption.
This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering)
DNS-over-TLS improves privacy and security between clients and resolvers. When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS traffic.
The FortiGuard DNS server certificates are signed with the globalsdns.fortinet.net hostname by a public CA.
The FortiGate verifies the server hostname using the server-hostname
setting.
The server-hostname actually specifies a match for the remote DNS server's certificate's domain name in Subject or SAN. (Leaving it empty disables matching.)
Default configuration when Fortiguard DNS is used:
# config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol dot
set server-hostname "globalsdns.fortinet.net"
end
When configuring Google DNS:
# config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set protocol dot
set server-hostname "dns.google"
end
When it is toggled from Use Fortiguard DNS to Specify in the DNS configuration, it does not change any configuration in the DNS setting, so the DNS server will still be 96.xx also the server hostname will be globalsdns.fortinet.net.
Generally, The user misses changing the server hostname and only change the DNS to 8.8.8.8 and that causes DNS Unreachable because the server is 8.8.8.8 & server-hostname is globalsdns.fortinet.net and the hostname is not matching in the server certificate.
DNS is reachable when the server is 8.8.8.8 & server-hostname is dns.google as it is matching the server certificate.
Similarly, if any other DNS server is being used with dot or doh protocol it will be necessary to specify the server hostname as per the provider, if not configured the certificate match will be disabled and the connection will be vulnerable to eaves-dropping, and spoofing
Verifying the connection:
iron-kvm45 # diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
8.8.8.8:853 vrf=0 tz=0 encrypt=dot req=3 to=0 res=3 rt=8 ready=1 timer=0 probe=0 failure=0 last_failed=0
8.8.8.8:443 vrf=0 tz=0 encrypt=doh req=2 to=0 res=2 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
8.8.4.4:853 vrf=0 tz=0 encrypt=dot req=1 to=0 res=1 rt=5 ready=1 timer=0 probe=0 failure=0 last_failed=0
8.8.4.4:443 vrf=0 tz=0 encrypt=doh req=2 to=0 res=2 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
ALT servers:
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=8 udp_c=19:20 ha_c=24 unix_s=9, unix_nb_s=25, unix_nc_s=10
v6_udp_s=7, v6_udp_c=22:23, snmp=26, redir=15, v6_redir=16
DNS FD: tcp_s=11, tcp_s6=12, redir=28 v6_redir=29
DNS UNIX FD: dnsproxy_un=30
FGD_DNS_SERVICE_LICENSE:
FGD_CATEGORY_VERSION:9
SERVER_LDB: gid=6dba, tz=60, error_allow=0
FGD_REDIR_V4:FGD_REDIR_V6:
Related documents:
DNS over TLS and HTTPS
Technical Tip: DNS over TLS configuration
https://developers.google.com/speed/public-dns/docs/dns-over-tls
https://developers.google.com/speed/public-dns/docs/doh
Troubleshooting Tip: Google DNS with DNS over TLS showing as unreachable
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.