Fortinet black logo

New Features

Use DNS over TLS for default FortiGuard DNS servers 7.0.4

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:92199
Download PDF

Use DNS over TLS for default FortiGuard DNS servers 7.0.4

When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS traffic. New FortiGuard DNS servers are added as primary and secondary servers.

Note

Because DNS servers probably do not support low encryption DES, low encryption devices do not have the option to select DoT or DoH. The devices default to cleartext (UDP/53) instead.

The FortiGuard DNS server certificates are signed with the globalsdns.fortinet.net hostname by a public CA. The FortiGate verifies the server hostname using the server-hostname setting.

Note

When upgrading to 7.0.4, the FortiGuard servers are updated to the new defaults.

To view the FortiGuard server DNS settings in the GUI:
  1. Go to Network > DNS.
  2. For DNS servers, select Use FortiGuard Servers. The Primary DNS server is 96.45.45.45, and the Secondary DNS server is 96.45.46.46. DNS Protocols is set to TLS and cannot be modified.

To view the FortiGuard server DNS settings in the CLI:
# show system dns
config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol dot
    set server-hostname "globalsdns.fortinet.net"
end
Note

The protocol and server-hostname settings should not be modified when using the default FortiGuard servers.

Use DNS over TLS for default FortiGuard DNS servers 7.0.4

When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS traffic. New FortiGuard DNS servers are added as primary and secondary servers.

Note

Because DNS servers probably do not support low encryption DES, low encryption devices do not have the option to select DoT or DoH. The devices default to cleartext (UDP/53) instead.

The FortiGuard DNS server certificates are signed with the globalsdns.fortinet.net hostname by a public CA. The FortiGate verifies the server hostname using the server-hostname setting.

Note

When upgrading to 7.0.4, the FortiGuard servers are updated to the new defaults.

To view the FortiGuard server DNS settings in the GUI:
  1. Go to Network > DNS.
  2. For DNS servers, select Use FortiGuard Servers. The Primary DNS server is 96.45.45.45, and the Secondary DNS server is 96.45.46.46. DNS Protocols is set to TLS and cannot be modified.

To view the FortiGuard server DNS settings in the CLI:
# show system dns
config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol dot
    set server-hostname "globalsdns.fortinet.net"
end
Note

The protocol and server-hostname settings should not be modified when using the default FortiGuard servers.