Fortinet black logo

New Features

DNS over TLS

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:642344
Download PDF

DNS over TLS

A new option is added to DNS Profile, forcing DNS over TLS for added security.

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

Below is a typical topology.

FortiGate (client/server)<-----(DNS over TLS)<-----------------> DNS server/client

To configure DNS over TLS using the GUI:
  1. Go to Network > DNS.
  2. In DNS over TLS, select Enforce.

To configure DNS over TLS using the CLI:
FGT_A (global) # config system dns 
 
FGT_A (dns) # show
config system dns
    set primary 8.8.8.8
    set dns-over-tls enforce
end
 
FGT_A (dns) # set dns-over-tls 
disable    Disable DNS over TLS.
enable     Use TLS for DNS queries if TLS is available.
enforce    Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.
 
FGT_A (dns) # set dns-over-tls enforce 
 <Enter>
 
FGT_A (dns) # set dns-over-tls enforce 
 
FGT_A (dns) # set ssl-certificate 
<string>    please input string value
Fortinet_CA_SSL    local
Fortinet_CA_Untrusted    local
Fortinet_Factory    local
Fortinet_SSL    local
Fortinet_SSL_DSA1024    local
Fortinet_SSL_DSA2048    local
Fortinet_SSL_ECDSA256    local
Fortinet_SSL_ECDSA384    local
Fortinet_SSL_RSA1024    local
Fortinet_SSL_RSA2048    local
Server    local
testercert    local
 
FGT_A (dns) # set ssl-certificate 

DNS over TLS

A new option is added to DNS Profile, forcing DNS over TLS for added security.

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

Below is a typical topology.

FortiGate (client/server)<-----(DNS over TLS)<-----------------> DNS server/client

To configure DNS over TLS using the GUI:
  1. Go to Network > DNS.
  2. In DNS over TLS, select Enforce.

To configure DNS over TLS using the CLI:
FGT_A (global) # config system dns 
 
FGT_A (dns) # show
config system dns
    set primary 8.8.8.8
    set dns-over-tls enforce
end
 
FGT_A (dns) # set dns-over-tls 
disable    Disable DNS over TLS.
enable     Use TLS for DNS queries if TLS is available.
enforce    Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.
 
FGT_A (dns) # set dns-over-tls enforce 
 <Enter>
 
FGT_A (dns) # set dns-over-tls enforce 
 
FGT_A (dns) # set ssl-certificate 
<string>    please input string value
Fortinet_CA_SSL    local
Fortinet_CA_Untrusted    local
Fortinet_Factory    local
Fortinet_SSL    local
Fortinet_SSL_DSA1024    local
Fortinet_SSL_DSA2048    local
Fortinet_SSL_ECDSA256    local
Fortinet_SSL_ECDSA384    local
Fortinet_SSL_RSA1024    local
Fortinet_SSL_RSA2048    local
Server    local
testercert    local
 
FGT_A (dns) # set ssl-certificate