| Description | This article describes the behavior when using Quad9 DNS as FortiGate's DNS server. |
| Scope | FortiGate. |
| Solution |
When using a Quad9 DNS server (9.9.9.9) in FortiGate and selecting TLS as the DNS Protocol, it will display 'Unreachable'. As a result, FortiGate will be unable to resolve the hostname. The setting is located under Network -> DNS
This is because the server hostname does not match the DNS server IP addresses that were selected. The server hostname parameter allows the FortiGate to verify the server hostname. The server hostname matches the domain name of the remote DNS server's certificate in the Subject or SAN.
To resolve the issue, add the server hostname of the DNS server: dns9.quad9.net is the hostname for the Quad9 server.
Steps for CLI:
config system dns set primary 9.9.9.9 set protocol dot set server-hostname "dns9.quad9.net" end
Alternatively, if utilizing TLS is not a requirement, it is possible to enable the DNS protocol 'DNS (UDP/53)' and disable 'TLS (TCP/853)' instead. This configuration allows FortiGate to resolve hostnames without needing to specify the server hostname.
Related articles: Technical Tip: DNS server on FortiGate caused FortiGate DNS latency Technical Tip: DNS troubleshooting Technical Tip: DNS stops working when using custom DNS Technical Tip: FortiGate DNS Server works as DNS proxy Technical Tip: DNS server is unreachable when using custom DNS Technical Tip: Enable DNS over TLS with Google DNS servers Troubleshooting Tip: Using Cloudflare DNS with DNS over TLS showing as unreachable Troubleshooting Tip: Google DNS with DNS over TLS showing as unreachable |
