Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rtichkule
Staff
Staff

Created on ‎12-30-2024 02:42 AM Edited on ‎12-31-2024 01:59 AM By Community Manager

Article Id 367312

Troubleshooting Tip: Quad9 DNS with DNS over TLS showing as unreachable

Description This article explains the behavior when using Quad9 DNS as FortiGate's DNS server.
Scope FortiGate.
Solution

When using a Quad9 DNS server (9.9.9.9) in FortiGate and selecting TLS as the DNS Protocol, it will display 'Unreachable'. As a result, FortiGate will be unable to resolve the hostname.

 

image (25).png

 

This is because the server hostname does not match the DNS server IP addresses that were selected.

The server hostname parameter allows the FortiGate to verify the server hostname.

The server hostname matches the domain name of the remote DNS server's certificate in the Subject or SAN. 

 

To resolve the issue, add the server hostname of the DNS server: dns9.quad9.net is the hostname for the Quad9 server.

 

image (26).png

 

Steps for CLI:

 

config system dns

    set primary 9.9.9.9

    set protocol dot

    set server-hostname "dns9.quad9.net"

end

 

cli.png

 

Alternatively, if utilizing TLS is not a requirement, it is possible to enable the DNS protocol 'DNS (UDP/53)' and disable 'TLS (TCP/853)' instead. This configuration allows FortiGate to resolve hostnames without needing to specify the server hostname.

 

Screenshot 2024-12-31 152429.png
154
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.