Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ddeguzman
Staff
Staff

Created on ‎10-02-2024 11:39 PM Edited on ‎10-06-2024 10:51 PM By Community Manager

Article Id 346676

Troubleshooting Tip: Using Cloudflare DNS with DNS over TLS showing as unreachable

Description This article explains the behavior when utilizing Cloudflare DNS as FortiGate's DNS server.
Scope FortiGate.
Solution

When utilizing a third-party DNS server such as CloudFlare (1.1.1.1 & 1.0.0.1) in FortiGate and selecting TLS as the DNS Protocol, it will show as 'Unreachable'. As a result, FortiGate will not be able to resolve the hostname.

 

DNS-Cloudflare-error.JPG

 

This is due to the server hostname mismatched with the DNS server IPs selected. To resolve this, it is needed to update the 'Server Hostname" under the DNS configuration.

 

DNS-Cloudflare.JPG

 
To configure via CLI:

 

config system dns

set primary 1.1.1.1
set secondary 1.0.0.1
set protocol dot
set server-hostname "one.one.one.one"

end

 

 

Alternatively, enable the DNS protocol "DNS (UDP/53)" and disable "TLS (TCP/853)." This configuration allows FortiGate to resolve hostnames without needing to specify the server hostname.

image - 2024-10-03T123006.671.png

 

Labels:
312
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.