This article describes that, when the custom DNS server is used under System -> DNS, the internal DNS stops working and will also result in FortiGuard being unreachable.
If FortiGate are used as DNS server, then the clients will also not be able to resolve DNS.
FortiOS 7.0 and above
DNS over TLS is enabled by default under System -> DNS and the FortiGate uses globalsdns.fortinet.net hostname for TLS negotiation with the new FortiGuard DNS servers.
When the DNS servers are changed to the custom DNS servers, the server hostname will cause problems in the TLS negotiation since that server name now does not match with the DNS server IP.
Solution 1.
If the DNS server does not support DoT (DNS over TLS) or DoH (DNS over HTTPS), disable DNS over TLS and enable standard DNS over UDP port 53.
Solution 2.
If the DNS server supports DoT, remove the server hostname, keeping DNS over TLS enabled.
It is also possible to use the FQDN for the DNS server in the server hostname field (for example dns.google if 8.8.8.8 or 8.8.4.4 are used as DNS server).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.