Use DNS over TLS for default FortiGuard DNS servers

When using FortiGuard servers for DNS, the FortiProxy unit defaults to using DNS over TLS (DoT) to secure the DNS traffic. New FortiGuard DNS servers are added as primary and secondary servers.

Because DNS servers probably do not support low encryption DES, low encryption devices do not have the option to select DoT or DoH. The devices default to cleartext (UDP/53) instead.

The FortiGuard DNS server certificates are signed with the globalsdns.fortinet.net hostname by a public CA. The FortiProxy unit verifies the server hostname using the server-hostname setting.

To view the FortiGuard server DNS settings in the GUI:

1. Go to Network > DNS Settings.

2. For DNS servers, select Use FortiGuard Servers.

   The Primary DNS server is 96.45.45.45, and the Secondary DNS server is 96.45.46.46. DNS Protocols is set to TLS and cannot be modified.

To view the FortiGuard server DNS settings in the CLI:

# show system dns
config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol dot
    set server-hostname "globalsdns.fortinet.net"
end

The protocol and server-hostname settings should not be modified when using the default FortiGuard servers.