Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
scampos
Staff
Staff

Created on ‎03-20-2025 10:56 PM Edited on ‎03-24-2025 11:54 PM By Community Manager

Article Id 383509

Technical Tip: How to solve 'unreachable' or high latency issue when using FortiGuard DNS servers

Description This article describes a possible solution when the FortiGate shows 'unreachable' or high latency for the FortiGuard servers (96.45.45.45 and 96.45.46.46).
Scope FortiGate v7.x.
Solution

Sometimes, when setting the FortiGuard DNS servers for the system DNS on the FortiGate, it can show the following behavior:

 

Screenshot 2025-03-20 133614.jpg

 

That happens because the FortiGuard DNS server uses DNS over TLS on port 853 for encrypted communication, while other public DNS server uses DNS on port 53.

 

TLS requires a certificate to authenticate the communication between the FortiGate and the server hostname globaldns.fortinet.net, once authenticated, the session can be opened to send DNS queries.

 

Since the authentication is against the FortiGuard servers, if a certificate without the SN of the FortiGate is selected for the TLS communication, the authentication is going to fail and for that is going to show the 'unreachable' error.

 

This can be resolved by using the self-signed certificate from FortiGate for the TLS authentication against the FortiGuard servers:

 

Screenshot 2025-03-20 133722.jpg

 

From CLI :

 

config system dns
    set ssl-certificate "Fortinet_Factory"
end

 

Troubleshooting:

To verify if FortiGate is using DoT (TCP/853), 'DNS Servers' will include port 853, and encrypt will show 'dot':

 

diagnose test application dnsproxy 3
worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
96.45.45.45:853 vrf=0 tz=0 encrypt=dot req=40 to=8 res=31 rt=2 ready=1 timer=0 probe=0 failure=0 last_failed=0
96.45.46.46:853 vrf=0 tz=0 encrypt=dot req=57 to=4 res=56 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
ALT servers:
VRF selected: 0
Interface selecting method: auto
Specified interface:
FortiGuard VRF selected: 0
FortiGuard interface selecting method: auto
FortiGuard specified interface:

 

A packet capture filtering by port 853 can further help debug whether the server is responding to DNS responses:

 

diagnose sniffer packet any 'port 853' 4 0 l
interfaces=[any]
filters=[port 853]
2025-03-24 10:23:53.650785 wan1 out 192.168.2.12.1068 -> 96.45.46.46.853
2025-03-24 10:23:53.650785 wan1 out 192.168.2.12.1068 -> 96.45.46.46.853
2025-03-24 10:23:53.677820 wan1 in 96.45.46.46.853 -> 192.168.2.12.1068
2025-03-24 10:23:53.677820 wan1 in 96.45.46.46.853 -> 192.168.2.12.1068

 

To dig into the issue further, the following sniffer can be tuned to use the verbose level '6' and converted to a Wireshark file to review queries and responses:

 

diagnose sniffer packet any 'port 853' 6 0 l

 

Related articles:

Troubleshooting Tip: Unable to connect to FortiGuard servers
Technical Tip: FortiGate Troubleshooting DNS commands 

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark 

Troubleshooting Tip: Using Cloudflare DNS with DNS over TLS showing as unreachable
Labels:
155
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.