Description
This article describes how to configure DNS over TLS.
Scope
FortiGate.
Solution
DNS over TLS (DoT) is a security protocol for encrypting and wrapping DNS queries and answers via the TLS protocol. The goal of DNS over TLS is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.
There is an option in the FortiOS DNS profile settings to enforce DoT for this added security.
To configure DoT from the GUI:
- Go to Network -> DNS. The DNS Settings pane opens.
- For DNS over TLS, select 'Enforce'.
- Select 'Apply'.
To configure DoT from the CLI.
config system dns
set primary 8.8.8.8
set secondary 1.1.1.1
set dns-over-tls enforce
set ssl-certificate "Fortinet_Factory"
end
set primary 8.8.8.8
set secondary 1.1.1.1
set dns-over-tls enforce
set ssl-certificate "Fortinet_Factory"
end
Note:
As of v7.0.0, the new FortiGuard DNS servers (96.45.45.45 and 96.45.46.46) now support DNS over TLS (port 853).
FGT_3 (global) # config system dns
FGT_3 (dns) # show
config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol dot <-
set server-hostname "globalsdns.fortinet.net"
Related articles:
Technical Tip: DNS server is unreachable when using custom DNS
Troubleshooting Tip: Quad9 DNS with DNS over TLS showing as unreachable
