DNS over TLS (DoT) is a security protocol for encrypting and wrapping DNS queries and answers via the TLS protocol. The goal of DNS over TLS is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. There is an option in the FortiOS DNS profile settings to enforce DoT for this added security.
- Go to Network > DNS. The DNS Settings pane opens.
- For DNS over TLS, click Enforce.
- Click Apply.
config system dns set primary 188.8.131.52 set dns-over-tls enforce set ssl-certificate "Fortinet_Factory" end
DNS over TLS connections to the FortiGuard secure DNS server is supported. The CLI options are only available when
fortiguard-anycast is enabled. DNS filtering connects to the FortiGuard secure DNS server over anycast by default.
config system fortiguard set fortiguard-anycast enable set fortiguard-anycast-source fortinet set anycast-sdns-server-ip 0.0.0.0 set anycast-sdns-server-port 853 end