Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 6.4.12 Administration Guide

DNS over TLS

6.4.12
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID 4df65995-af21-11ed-8e6d-fa163e15d75b:42181
Download PDF

DNS over TLS

DNS over TLS (DoT) is a security protocol for encrypting and wrapping DNS queries and answers via the TLS protocol. The goal of DNS over TLS is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. There is an option in the FortiOS DNS profile settings to enforce DoT for this added security.

Before enabling DoT , ensure that it is supported by the DNS servers. The default FortiGuard DNS servers do not support DoT queries, and will drop these packets. At times, the latency status of the DNS servers might also appear high or unreachable.

Disabling DoT is recommended when it is not supported by the DNS servers.

To configure DoT in the GUI:
  1. Go to Network > DNS. The DNS Settings pane opens.
  2. For DNS over TLS, click Enforce.

  3. Click Apply.
To configure DoT in the CLI:
config system dns
    set primary 8.8.8.8
    set dns-over-tls enforce
    set ssl-certificate "Fortinet_Factory"
end

FortiGuard DNS rating service

DNS over TLS connections to the FortiGuard secure DNS server is supported. The CLI options are only available when fortiguard-anycast is enabled. DNS filtering connects to the FortiGuard secure DNS server over anycast by default.

To configure DoT to the secure DNS server in the CLI:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
    set anycast-sdns-server-ip 0.0.0.0
    set anycast-sdns-server-port 853
end
Previous
Next

DNS over TLS

DNS over TLS (DoT) is a security protocol for encrypting and wrapping DNS queries and answers via the TLS protocol. The goal of DNS over TLS is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. There is an option in the FortiOS DNS profile settings to enforce DoT for this added security.

Before enabling DoT , ensure that it is supported by the DNS servers. The default FortiGuard DNS servers do not support DoT queries, and will drop these packets. At times, the latency status of the DNS servers might also appear high or unreachable.

Disabling DoT is recommended when it is not supported by the DNS servers.

To configure DoT in the GUI:
  1. Go to Network > DNS. The DNS Settings pane opens.
  2. For DNS over TLS, click Enforce.

  3. Click Apply.
To configure DoT in the CLI:
config system dns
    set primary 8.8.8.8
    set dns-over-tls enforce
    set ssl-certificate "Fortinet_Factory"
end

FortiGuard DNS rating service

DNS over TLS connections to the FortiGuard secure DNS server is supported. The CLI options are only available when fortiguard-anycast is enabled. DNS filtering connects to the FortiGuard secure DNS server over anycast by default.

To configure DoT to the secure DNS server in the CLI:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
    set anycast-sdns-server-ip 0.0.0.0
    set anycast-sdns-server-port 853
end
Previous
Next