Fortinet black logo

Handbook

Home FortiADC 7.2.0 Handbook

Configuring DNS over HTTPS and DNS over TLS

7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7
Copy Link
Copy Doc ID cf7fad5a-adcd-11ed-8e6d-fa163e15d75b:997585
Download PDF

Configuring DNS over HTTPS and DNS over TLS

DNS over HTTPS (DoH) and DNS over TLS (DoT) are protocols used to encrypt communications with DNS resolvers. DoH encrypts the DNS traffic by passing DNS queries through an HTTPS encrypted session. Whereas DoT adds TLS encryption on top of the UDP that is used for DNS queries.

The primary difference between the DoH and DoT standards is what port they use. DoT only uses port 853, whereas DoH uses port 443 (which is the port that all other HTTPS traffic uses as well).

To configure DNS over HTTPS or DNS over TLS on FortiADC, follow the basic steps below:

Step 1: Prepare a full domain name or an IP address for your DoH/DoT service

Step 2: Prepare a certificate pair for the DoH/DoT service

Step 3: Enable DoH/DoT service on FortiADC

Step 4: Enable DoH/DoT service on your browser or local application

Step 1: Prepare a full domain name or an IP address for your DoH/DoT service

Before you can configure DoH/DoT on FortiADC, you must first prepare a full domain name or an IP address for the DoH/DoT service. This will then be used for your custom DoH/DoT server URL and to sign the certificate.

You can prepare the full domain using either of the following methods:

  • If your organization manages its own public domain, you can add a new record to the domain.
    1. Login to you DNS service provider and go to your DNS Domain management page.
    2. Add a new record to the existing public domain as dns.yourdomain.com. The IP address is the DNS-over-HTTPS or DNS-over-TLS service public IP.
  • If you want to test your own domain, you can add the full domain name resolution to the local hosts file.
    For example: The Ubuntu local hosts file would be located at /etc/hosts, and in Windows it would be at c:\Windows\System32\Drivers\etc\hosts.

Step 2: Prepare a certificate pair for the DoH/DoT service

Use the full domain name or IP address for the DoH/DoT service previously prepared to create a certificate pair.

You can prepare the certificate pair for your DoH/DoT service using either of the following methods:

  • Apply for a public certificate from a public CA with your full domain name or IP address.
  • Generate a self-signed certificate. Note: A self-signed certificate cannot be generated through FortiADC.
    For example: Generating a self-signed certificate in Ubuntu with OpenSSL
    1. Prepare the prerequisites:
      mkdir demoCA
mkdir demoCA/newcerts
echo 01 > demoCA/serial
touch demoCA/index.txt
    2. Add the following lines to the file /usr/lib/ssl/openssl.cnf under the [v3_req] section.
      subjectAltName = @alt_names
[alt_names]
DNS.1=dns.yourdomain.com
IP.1=yourdomain IP
    3. Generate the root CA key.
      openssl genrsa -out rootca.key 2048
    4. Generate the root CA cert.
      openssl req -new -x509 -days 3650 -key rootca.key -out rootca.crt -subj "/C=Country/ST=State/L=Location/O=Company/OU=Department/CN=yourdomain.com/emailAddress=admin@yourdomain.com"
    5. Generate the DNS server private key.
      openssl genrsa -out dns-doh.key 2048
    6. Generate the DNS server cert (enter y if prompted).
      openssl req -new -key dns-doh.key -out dns-doh.csr -subj "/C=Country/ST=State/L=Location/O=Company/OU=Department/CN=yourdomain.com/emailAddress=admin@yourdomain.com"

openssl ca -in dns-doh.csr -out dns-doh.crt -cert rootca.crt -keyfile rootca.key -days 365 -extensions v3_req
    7. Verify the certificate.
      openssl verify -CAfile rootca.crt dns-doh.crt

Step 3: Enable DoH/DoT service on FortiADC

After preparing the certificate pair for the DoH/DoT service, you can import the certificate and then enable the DoH/DoT function in FortiADC.

  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to upload the prepared certificate in FortiADC.
  4. Go to Global Load Balance > Zone Tools.
  5. Click the General Settings tab.
  6. Configure the following relevant settings to enable DNS over HTTPS service and save the configuration:

    Setting

    Guidelines

    Global DNS ConfigurationEnable Global DNS Configuration.
    DNS over HTTPSEnable DNS over HTTPS service.
    DNS over HTTPS portDefault port is 443. Change the HTTPS service port number if it is not the default HTTPS service port or if there is an IP/port conflict.
    DNS over HTTPS Interface ListSelect the interfaces that allow the DNS over HTTPS service.
    CertificateSelect the matching certificate.
    1. Test your DNS over HTTPS configuration.
      For example, you can use a DNS lookup tool such as Dig from a remote system.
      dig @yourdomain.com example.com +https
      If the DNS over HTTPS is successfully configured, you should get the IP address of example.com: 93.184.216.34.
      From Dig's output, you should also see the following:
      ;; SERVER: 18.217.127.135#443(dns.yourdomain.com) (HTTPS)
      This confirms that the query/response operation was performed successfully over HTTPS (TCP port 443) rather than the traditional UDP port 53.
  7. Configure the following relevant settings to enable DNS over TLS service and save the configuration:

    Setting

    Guidelines

    Global DNS ConfigurationEnable Global DNS Configuration.
    DNS over TLSEnable DNS over TLS service.
    DNS over TLS portDefault port is 853.
    DNS over TLS Interface ListSelect the interfaces that allow the DNS over TLS service.
    CertificateSelect the matching certificate.
    1. Test your DNS over TLS configuration.
      For example, you can use a DNS lookup tool such as Dig from a remote system.
      dig @yourdomain.com example.com +tls
      If the DNS over HTTPS is successfully configured, you should get the IP address of example.com: 93.184.216.34.
      From Dig's output, you should also see the following:
      ;; SERVER: 18.217.127.135#853(dns.yourdomain.com) (TLS)
      This confirms that the query/response operation was performed successfully over TLS (TCP port 853) rather than the traditional UDP port 53.

Step 4: Enable DoH/DoT service on your browser or local application

After you have configured DoH/DoT on FortiADC, enable DoH/DoT service on your browser or local application. However, if you have used a self-signed certificate pair, you need to first import that certificate into the local system before enabling DoH/DoT on the browser or local application.

Importing the self-signed certificate pair to the local system for DoH/DoT
Example 1: Importing the self-signed certificate to Windows
  1. Launch MMC (mmc.exe). Go to File > Add/Remove Snap-ins.
  2. Select Certificates, then click Add.
    The Certificates snap-in dialog displays.
  3. In the Certificates snap-in dialog, select My user account. Click Finish, then click OK.
  4. Select Certificates - Current User, right-click on Trusted Root Certification Authorities. Then select All Tasks > Import.

    The Certificate Import Wizard dialog displays.
  5. In the Certificate Import Wizard dialog, click Browse to select the rootca.crt file and click Open.
  6. Select Place all certificates in the following store and set Trusted Root Certification Authorities as the Certificate store. Click Next and Next again, then click Finish.
  7. Click Yes and Finish for the prompt windows.
Example 2: Importing the self-signed certificate to Ubuntu
  1. Install or update ca-certificates.
    $ sudo apt-get install -y ca-certificates
  2. Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.
    $ sudo cp rootca.crt /usr/local/share/ca-certificates
  3. Update your ca chain list.
    $ sudo update-ca-certificates
Enabling DNS over HTTPS on the browser
Example 1: Enable DoH in Chrome (version 105.0.5195.102)
  1. Import self-signed certificate to Chrome. You may skip this step if you use a public certificate.
    1. Open chrome://settings/privacy and select Security.
    2. Scroll down and select Manage Certificates > Authorities, then click Import.
    3. Select the file rootca.crt and open. Check all the boxes and click OK.
  2. Enable custom DNS over HTTPS settings.
    1. Go to Settings > Privacy and security > Security.
    2. Enable Use secure DNS, select With, then select Custom from the drop-down list.
    3. Input the URL that matches your FortiADC DNS server domain and your certificate as https://yourdomain/dns-query or https://yourIP:port/dns-query.
  3. Debugging.
    Try the following URL and see if there is a file downloading.
    https://yourdomain/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
    If downloaded, then all configurations are correct.
    Otherwise, the most common error is ERR_CERT_COMMON_NAME_INVALID, which means your server cert CN is invalid or does not match your FortiADC server.
Example 2: Enable DoH in Firefox (version 104.0.2)
  1. Import self-signed certificate to Firefox. You may skip this step if you use a public certificate.
    1. Go to Settings > Privacy & Security, under the Certificates section, click View Certificates.
    2. Select Authorities, click Import and select your root CA file. Check all the boxes and click OK to save.
  2. Enable custom DNS over HTTPS settings.
    1. Go to Settings > General, under the Network Settings section, click Settings.
    2. Select Enable DNS over HTTPS. In the Use Provider field, select Custom from the drop-down list.
    3. Input the URL that matches your FortiADC DNS server domain and your certificate as https://yourdomain/dns-query or https://yourIP:port/dns-query. Click OK to save.
  3. Debugging.
    Try the following URL and see if there is a file downloading.
    https://yourdomain/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
    If downloaded, then all configurations are correct.
    Otherwise, the most common error is ERR_CERT_COMMON_NAME_INVALID, which means your server cert CN is invalid or does not match your FortiADC server.
Enabling DNS over TLS on your local application
Example 1: Enable DoT in Ubuntu with systemd
  1. Check the systemd version.
    systemd start to support strict DNS over TLS mode from version 243. Use the following command to check your version and update it if the version is too old.
    $ systemd --v
systemd 249 (249.11-0ubuntu3.6)
  2. Set up the systemd configuration.
    Modify /etc/systemd/resolved.conf so that it is similar to what is shown below. Be sure to enable DNS over TLS and to configure the IP addresses of the DNS servers you want to use.
    $ cat /etc/systemd/resolved.conf
DNS=10.106.210.81
FallbackDNS=8.8.8.8
#Domains=
#DNSSEC=no
DNSOverTLS=yes
#LLMNR=yes
#MulticastDNS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
  3. Restart services.
    To make the settings configured in the previous steps take effect, restart systemd-resolved.
    $ sudo systemctl restart systemd-resolved
  4. Check that everything is running correctly.
    $ resolvectl status
Global
           Protocols: -LLMNR -mDNS +DNSOverTLS -DNSSEC
    resolv.conf mode: foreign
  Current DNS Server: 10.106.210.81
         DNS Servers: 10.106.210.81
Fallback DNS Servers: 8.8.8.8
  5. Verify the configuration.
    Use the following command to perform a DNS query.
    $ sudo resolvectl flush-caches 
$ resolvectl query google.com
google.com: 142.250.72.206                     -- link: ens160
            2607:f8b0:4005:801::200e           -- link: ens160
 
-- Information acquired via protocol DNS in 23.8ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: network

    Use tcpdump to capture the traffic in another terminal. You will find that the traffic goes to DNS server 10.106.210.81 port 853 instead of the regular DNS service port 53.

Example 2: Enable DoT in Ubuntu with Unbound
  1. Install Unbound.
    # sudo apt install -y unbound
# sudo systemctl enable unbound
  2. Edit the configuration file.
    # cat /etc/unbound/unbound.conf.d/pihole.conf
server:
    port: 53
    tls-upstream: yes                                          
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
 
forward-zone:
    name: "."
    forward-addr: 10.106.210.81@853

# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
  3. Restart services.
    # sudo systemctl restart unbound
  4. Verify the configuration.
    Perform a simple Dig test and use tcpdump to capture the traffic in another terminal. You will find that all the DNS traffic goes to Server 10.106.210.81 port 853 instead the regular DNS service port 53.
Example 3: Enable DoT in Windows with YogaDNS
  1. Go to https://dns.sb/guide/dot/windows/
  2. Set the IP address and optional port to match your FortiADC configuration.
  3. Under DNS over TLS options, set the Hostname to match your certificate or you may leave it blank. Click OK.
Previous
Next

Configuring DNS over HTTPS and DNS over TLS

DNS over HTTPS (DoH) and DNS over TLS (DoT) are protocols used to encrypt communications with DNS resolvers. DoH encrypts the DNS traffic by passing DNS queries through an HTTPS encrypted session. Whereas DoT adds TLS encryption on top of the UDP that is used for DNS queries.

The primary difference between the DoH and DoT standards is what port they use. DoT only uses port 853, whereas DoH uses port 443 (which is the port that all other HTTPS traffic uses as well).

To configure DNS over HTTPS or DNS over TLS on FortiADC, follow the basic steps below:

Step 1: Prepare a full domain name or an IP address for your DoH/DoT service

Step 2: Prepare a certificate pair for the DoH/DoT service

Step 3: Enable DoH/DoT service on FortiADC

Step 4: Enable DoH/DoT service on your browser or local application

Step 1: Prepare a full domain name or an IP address for your DoH/DoT service

Before you can configure DoH/DoT on FortiADC, you must first prepare a full domain name or an IP address for the DoH/DoT service. This will then be used for your custom DoH/DoT server URL and to sign the certificate.

You can prepare the full domain using either of the following methods:

  • If your organization manages its own public domain, you can add a new record to the domain.
    1. Login to you DNS service provider and go to your DNS Domain management page.
    2. Add a new record to the existing public domain as dns.yourdomain.com. The IP address is the DNS-over-HTTPS or DNS-over-TLS service public IP.
  • If you want to test your own domain, you can add the full domain name resolution to the local hosts file.
    For example: The Ubuntu local hosts file would be located at /etc/hosts, and in Windows it would be at c:\Windows\System32\Drivers\etc\hosts.

Step 2: Prepare a certificate pair for the DoH/DoT service

Use the full domain name or IP address for the DoH/DoT service previously prepared to create a certificate pair.

You can prepare the certificate pair for your DoH/DoT service using either of the following methods:

  • Apply for a public certificate from a public CA with your full domain name or IP address.
  • Generate a self-signed certificate. Note: A self-signed certificate cannot be generated through FortiADC.
    For example: Generating a self-signed certificate in Ubuntu with OpenSSL
    1. Prepare the prerequisites:
      mkdir demoCA
mkdir demoCA/newcerts
echo 01 > demoCA/serial
touch demoCA/index.txt
    2. Add the following lines to the file /usr/lib/ssl/openssl.cnf under the [v3_req] section.
      subjectAltName = @alt_names
[alt_names]
DNS.1=dns.yourdomain.com
IP.1=yourdomain IP
    3. Generate the root CA key.
      openssl genrsa -out rootca.key 2048
    4. Generate the root CA cert.
      openssl req -new -x509 -days 3650 -key rootca.key -out rootca.crt -subj "/C=Country/ST=State/L=Location/O=Company/OU=Department/CN=yourdomain.com/emailAddress=admin@yourdomain.com"
    5. Generate the DNS server private key.
      openssl genrsa -out dns-doh.key 2048
    6. Generate the DNS server cert (enter y if prompted).
      openssl req -new -key dns-doh.key -out dns-doh.csr -subj "/C=Country/ST=State/L=Location/O=Company/OU=Department/CN=yourdomain.com/emailAddress=admin@yourdomain.com"

openssl ca -in dns-doh.csr -out dns-doh.crt -cert rootca.crt -keyfile rootca.key -days 365 -extensions v3_req
    7. Verify the certificate.
      openssl verify -CAfile rootca.crt dns-doh.crt

Step 3: Enable DoH/DoT service on FortiADC

After preparing the certificate pair for the DoH/DoT service, you can import the certificate and then enable the DoH/DoT function in FortiADC.

  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to upload the prepared certificate in FortiADC.
  4. Go to Global Load Balance > Zone Tools.
  5. Click the General Settings tab.
  6. Configure the following relevant settings to enable DNS over HTTPS service and save the configuration:

    Setting

    Guidelines

    Global DNS ConfigurationEnable Global DNS Configuration.
    DNS over HTTPSEnable DNS over HTTPS service.
    DNS over HTTPS portDefault port is 443. Change the HTTPS service port number if it is not the default HTTPS service port or if there is an IP/port conflict.
    DNS over HTTPS Interface ListSelect the interfaces that allow the DNS over HTTPS service.
    CertificateSelect the matching certificate.
    1. Test your DNS over HTTPS configuration.
      For example, you can use a DNS lookup tool such as Dig from a remote system.
      dig @yourdomain.com example.com +https
      If the DNS over HTTPS is successfully configured, you should get the IP address of example.com: 93.184.216.34.
      From Dig's output, you should also see the following:
      ;; SERVER: 18.217.127.135#443(dns.yourdomain.com) (HTTPS)
      This confirms that the query/response operation was performed successfully over HTTPS (TCP port 443) rather than the traditional UDP port 53.
  7. Configure the following relevant settings to enable DNS over TLS service and save the configuration:

    Setting

    Guidelines

    Global DNS ConfigurationEnable Global DNS Configuration.
    DNS over TLSEnable DNS over TLS service.
    DNS over TLS portDefault port is 853.
    DNS over TLS Interface ListSelect the interfaces that allow the DNS over TLS service.
    CertificateSelect the matching certificate.
    1. Test your DNS over TLS configuration.
      For example, you can use a DNS lookup tool such as Dig from a remote system.
      dig @yourdomain.com example.com +tls
      If the DNS over HTTPS is successfully configured, you should get the IP address of example.com: 93.184.216.34.
      From Dig's output, you should also see the following:
      ;; SERVER: 18.217.127.135#853(dns.yourdomain.com) (TLS)
      This confirms that the query/response operation was performed successfully over TLS (TCP port 853) rather than the traditional UDP port 53.

Step 4: Enable DoH/DoT service on your browser or local application

After you have configured DoH/DoT on FortiADC, enable DoH/DoT service on your browser or local application. However, if you have used a self-signed certificate pair, you need to first import that certificate into the local system before enabling DoH/DoT on the browser or local application.

Importing the self-signed certificate pair to the local system for DoH/DoT
Example 1: Importing the self-signed certificate to Windows
  1. Launch MMC (mmc.exe). Go to File > Add/Remove Snap-ins.
  2. Select Certificates, then click Add.
    The Certificates snap-in dialog displays.
  3. In the Certificates snap-in dialog, select My user account. Click Finish, then click OK.
  4. Select Certificates - Current User, right-click on Trusted Root Certification Authorities. Then select All Tasks > Import.

    The Certificate Import Wizard dialog displays.
  5. In the Certificate Import Wizard dialog, click Browse to select the rootca.crt file and click Open.
  6. Select Place all certificates in the following store and set Trusted Root Certification Authorities as the Certificate store. Click Next and Next again, then click Finish.
  7. Click Yes and Finish for the prompt windows.
Example 2: Importing the self-signed certificate to Ubuntu
  1. Install or update ca-certificates.
    $ sudo apt-get install -y ca-certificates
  2. Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.
    $ sudo cp rootca.crt /usr/local/share/ca-certificates
  3. Update your ca chain list.
    $ sudo update-ca-certificates
Enabling DNS over HTTPS on the browser
Example 1: Enable DoH in Chrome (version 105.0.5195.102)
  1. Import self-signed certificate to Chrome. You may skip this step if you use a public certificate.
    1. Open chrome://settings/privacy and select Security.
    2. Scroll down and select Manage Certificates > Authorities, then click Import.
    3. Select the file rootca.crt and open. Check all the boxes and click OK.
  2. Enable custom DNS over HTTPS settings.
    1. Go to Settings > Privacy and security > Security.
    2. Enable Use secure DNS, select With, then select Custom from the drop-down list.
    3. Input the URL that matches your FortiADC DNS server domain and your certificate as https://yourdomain/dns-query or https://yourIP:port/dns-query.
  3. Debugging.
    Try the following URL and see if there is a file downloading.
    https://yourdomain/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
    If downloaded, then all configurations are correct.
    Otherwise, the most common error is ERR_CERT_COMMON_NAME_INVALID, which means your server cert CN is invalid or does not match your FortiADC server.
Example 2: Enable DoH in Firefox (version 104.0.2)
  1. Import self-signed certificate to Firefox. You may skip this step if you use a public certificate.
    1. Go to Settings > Privacy & Security, under the Certificates section, click View Certificates.
    2. Select Authorities, click Import and select your root CA file. Check all the boxes and click OK to save.
  2. Enable custom DNS over HTTPS settings.
    1. Go to Settings > General, under the Network Settings section, click Settings.
    2. Select Enable DNS over HTTPS. In the Use Provider field, select Custom from the drop-down list.
    3. Input the URL that matches your FortiADC DNS server domain and your certificate as https://yourdomain/dns-query or https://yourIP:port/dns-query. Click OK to save.
  3. Debugging.
    Try the following URL and see if there is a file downloading.
    https://yourdomain/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
    If downloaded, then all configurations are correct.
    Otherwise, the most common error is ERR_CERT_COMMON_NAME_INVALID, which means your server cert CN is invalid or does not match your FortiADC server.
Enabling DNS over TLS on your local application
Example 1: Enable DoT in Ubuntu with systemd
  1. Check the systemd version.
    systemd start to support strict DNS over TLS mode from version 243. Use the following command to check your version and update it if the version is too old.
    $ systemd --v
systemd 249 (249.11-0ubuntu3.6)
  2. Set up the systemd configuration.
    Modify /etc/systemd/resolved.conf so that it is similar to what is shown below. Be sure to enable DNS over TLS and to configure the IP addresses of the DNS servers you want to use.
    $ cat /etc/systemd/resolved.conf
DNS=10.106.210.81
FallbackDNS=8.8.8.8
#Domains=
#DNSSEC=no
DNSOverTLS=yes
#LLMNR=yes
#MulticastDNS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
  3. Restart services.
    To make the settings configured in the previous steps take effect, restart systemd-resolved.
    $ sudo systemctl restart systemd-resolved
  4. Check that everything is running correctly.
    $ resolvectl status
Global
           Protocols: -LLMNR -mDNS +DNSOverTLS -DNSSEC
    resolv.conf mode: foreign
  Current DNS Server: 10.106.210.81
         DNS Servers: 10.106.210.81
Fallback DNS Servers: 8.8.8.8
  5. Verify the configuration.
    Use the following command to perform a DNS query.
    $ sudo resolvectl flush-caches 
$ resolvectl query google.com
google.com: 142.250.72.206                     -- link: ens160
            2607:f8b0:4005:801::200e           -- link: ens160
 
-- Information acquired via protocol DNS in 23.8ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: network

    Use tcpdump to capture the traffic in another terminal. You will find that the traffic goes to DNS server 10.106.210.81 port 853 instead of the regular DNS service port 53.

Example 2: Enable DoT in Ubuntu with Unbound
  1. Install Unbound.
    # sudo apt install -y unbound
# sudo systemctl enable unbound
  2. Edit the configuration file.
    # cat /etc/unbound/unbound.conf.d/pihole.conf
server:
    port: 53
    tls-upstream: yes                                          
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
 
forward-zone:
    name: "."
    forward-addr: 10.106.210.81@853

# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
  3. Restart services.
    # sudo systemctl restart unbound
  4. Verify the configuration.
    Perform a simple Dig test and use tcpdump to capture the traffic in another terminal. You will find that all the DNS traffic goes to Server 10.106.210.81 port 853 instead the regular DNS service port 53.
Example 3: Enable DoT in Windows with YogaDNS
  1. Go to https://dns.sb/guide/dot/windows/
  2. Set the IP address and optional port to match your FortiADC configuration.
  3. Under DNS over TLS options, set the Hostname to match your certificate or you may leave it blank. Click OK.
Previous
Next