Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kchavda1
Staff
Staff

Created on ‎08-03-2022 09:30 PM Edited on ‎01-30-2024 02:58 AM By Community Manager

Article Id 219668

Technical Tip: DNS stops working when using custom DNS

Description

 

This article describes that, when the custom DNS server is used under System -> DNS, the internal DNS stops working and will also result in FortiGuard being unreachable.

If FortiGate are used as DNS server, then the clients will also not be able to resolve DNS.

 

Scope

 

FortiOS 7.0 and above

 

Solution

 

DNS over TLS is enabled by default under System -> DNS and the FortiGate uses globalsdns.fortinet.net hostname for TLS negotiation with the new FortiGuard DNS servers.

 

When the DNS servers are changed to the custom DNS servers, the server hostname will cause problems in the TLS negotiation since that server name now does not match with the DNS server IP.

 

1.jpg

 

Solution 1.

If the DNS server does not support DoT (DNS over TLS) or DoH (DNS over HTTPS), disable DNS over TLS and enable standard DNS over UDP port 53.

 

2.jpg

 

Solution 2.

If the DNS server supports DoT, remove the server hostname, keeping DNS over TLS enabled.

 

3.jpg

 

It is also possible to use the FQDN for the DNS server in the server hostname field (for example dns.google if 8.8.8.8 or 8.8.4.4 are used as DNS server).

Labels:
8118
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.