| Description | This article describes the troubleshooting steps and the command that can be used to troubleshoot Google DNS with DNS over TLS showing as unreachable. |
| Scope | FortiGate 6.2.0 and above. |
| Solution |
DNS over TLS is introduced in FortiOS 6.2.0 and above: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/642344/dns-over-tls
1) When Google DNS is configured with DoT protocol, the server reachability is showing as Unreachable:
2) Attempt to resolve any domain via FortiGate would fail:
3) It is possible to dump the DNS setting by issuing the command below:
# diag test app dnsproxy 3
4) To resolve this issue, it is necessary to change the 'Server hostname' parameter in the DNS configuration:
CLI configuration:
# config system dns set primary 8.8.8.8 set secondary 8.8.4.4 set protocol dot set server-hostname "dns.google" end
5) Post changing the server hostname to the Google DNS hostname, DNS resolution would be working as expected:
6) Dump the DNS setting again and it is now possible to see no failure:
 |
