Use DNS over TLS for default FortiGuard DNS servers 7.0.4
When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS traffic. New FortiGuard DNS servers are added as primary and secondary servers.
|
Because DNS servers probably do not support low encryption DES, low encryption devices do not have the option to select DoT or DoH. The devices default to cleartext (UDP/53) instead. |
The FortiGuard DNS server certificates are signed with the globalsdns.fortinet.net hostname by a public CA. The FortiGate verifies the server hostname using the server-hostname setting.
|
|
When upgrading to 7.0.4, the FortiGuard servers are updated to the new defaults. |
To view the FortiGuard server DNS settings in the GUI:
- Go to Network > DNS.
- For DNS servers, select Use FortiGuard Servers. The Primary DNS server is 96.45.45.45, and the Secondary DNS server is 96.45.46.46. DNS Protocols is set to TLS and cannot be modified.
To view the FortiGuard server DNS settings in the CLI:
# show system dns
config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol dot
set server-hostname "globalsdns.fortinet.net"
end
|
|
The |