Description
This article describes that, when the custom DNS server is used under System -> DNS, the internal DNS stops working and will also result in FortiGuard being unreachable.
If FortiGate are used as DNS server, then the clients will also not be able to resolve DNS.
Scope
FortiGate v7.0 and above.
Solution
DNS over TLS is enabled by default under System -> DNS and the FortiGate uses globalsdns.fortinet.net hostname for TLS negotiation with the new FortiGuard DNS servers.
When the DNS servers are changed to the custom DNS servers, the server hostname will cause problems in the TLS negotiation since that server name now does not match the DNS server IP.
Solution 1.
If the DNS server does not support DoT (DNS over TLS) or DoH (DNS over HTTPS), disable DNS over TLS and enable standard DNS over UDP port 53.
Solution 2.
If the DNS server supports DoT, remove the server hostname, keeping DNS over TLS enabled.
To use DoT when using the Google DNS server, use the 'dns.google' as the server hostname. To configure the server hostname from the CLI:
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set protocol dot
set server-hostname "dns.google"
end
It is also possible to use the FQDN for the DNS server in the server hostname field (for example dns.google if 8.8.8.8 or 8.8.4.4 are used as the DNS server).
Solution 3.
It is possible that the DNS forwarder is not working properly when using the local DNS server and this resolves to 'server failure' in DNS response.
Changing the DNS forwarder to another server, in this case, 8.8.8.8 is used, fixes the issue with 'server failure' in the DNS respond.
Note:
Make sure that in the DNS configuration, there is no source IP or any interface selected which might cause issues in sending the local out traffic from the FortiGate.
