Troubleshooting Tip: Google DNS with DNS over TLS showing as unreachable

DNS over TLS is introduced in FortiOS 6.2.0 and above:

DNS over TLS

1. When Google DNS is configured with DoT protocol, the server reachability is showing as Unreachable:

2. Attempt to resolve any domain via FortiGate would fail:

    

   

    

    

3. It is possible to dump the DNS setting by issuing the command below:

    

   diag test app dnsproxy 3

    

   

    

    

4. To resolve this issue, it is necessary to change the 'Server hostname' parameter in the DNS configuration:

    

   

    

   CLI configuration:

    

   config system dns

       set primary 8.8.8.8

       set secondary 8.8.4.4

       set protocol dot

       set server-hostname "dns.google"

   end

    

    

5. Post changing the server hostname to the Google DNS hostname, DNS resolution would be working as expected:

    

   

    

    

6. Dump the DNS setting again and it is now possible to see no failure:

    

Related article:

Troubleshooting Tip: Using Cloudflare DNS with DNS over TLS showing as unreachable
Technical Tip: DNS over TLS (DoT) with 3rd Party Global DNS (Google DNS)