DNS over TLS is introduced in FortiOS 6.2.0 and above:

DNS over TLS

1. When Google DNS is configured with DoT protocol, the server reachability is showing as Unreachable:

2. Attempt to resolve any domain via FortiGate would fail:

    

   

    

3. It is possible to dump the DNS setting by issuing the command below:
   
   diag test app dnsproxy 3

    

   

    

4. To resolve this issue, it is necessary to change the 'Server hostname' parameter in the DNS configuration:

    

   

    

   CLI configuration:
   
   config system dns
       set primary 8.8.8.8
       set secondary 8.8.4.4
       set protocol dot
       set server-hostname "dns.google"
   end

    

5. Post changing the server hostname to the Google DNS hostname, DNS resolution would be working as expected:

    

   

    

6. Dump the DNS setting again and it is now possible to see no failure:

    

Related article:

Troubleshooting Tip: Using Cloudflare DNS with DNS over TLS showing as unreachable
Technical Tip: DNS over TLS (DoT) with 3rd Party Global DNS (Google DNS)

Troubleshooting Tip: Quad9 DNS with DNS over TLS showing as unreachable