A new option is added to DNS Profile, forcing DNS over TLS for added security.
DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.
Below is a typical topology.
FortiGate (client/server)<-----(DNS over TLS)<-----------------> DNS server/client
- Go to Network > DNS.
- In DNS over TLS, select Enforce.
FGT_A (global) # config system dns FGT_A (dns) # show config system dns set primary 220.127.116.11 set dns-over-tls enforce end FGT_A (dns) # set dns-over-tls disable Disable DNS over TLS. enable Use TLS for DNS queries if TLS is available. enforce Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable. FGT_A (dns) # set dns-over-tls enforce <Enter> FGT_A (dns) # set dns-over-tls enforce FGT_A (dns) # set ssl-certificate <string> please input string value Fortinet_CA_SSL local Fortinet_CA_Untrusted local Fortinet_Factory local Fortinet_SSL local Fortinet_SSL_DSA1024 local Fortinet_SSL_DSA2048 local Fortinet_SSL_ECDSA256 local Fortinet_SSL_ECDSA384 local Fortinet_SSL_RSA1024 local Fortinet_SSL_RSA2048 local Server local testercert local FGT_A (dns) # set ssl-certificate