1

Fortigate - DNS-over-TLS/QUIC

Hello there,

I have been trying for days to get this to work.  I have tried Fortigate firmware 6.4.4 and 7.2.5 and 7.4.0 all with factory resetting the Fortigate.  The setting on the Fortigate is not complex, simple as below

 Configure NextDNS servers >you choose TLS > put your ID hostname in > click apply.

But is just does not work :(  Any help from the Next DNS support team would be appreciated.

Thanks

10 replies

null
    • A_T
    • 1 yr ago
    • Reported - view

    I'm not familiar with fortigate. This is just an observation.

    Settings look confusing to me. I see you have set the nextdns IP and DoT dns-query hostname but what is "Use FortiGuard Servers" all about?  Shouldn't that be set to something like Custom. It looks to me that you are querying nextdns through fortiguard servers thus their SSL certificate.

     

    Also, did you give DoH a try?

    • Terry_Moss
    • 1 yr ago
    • Reported - view

    I have tried DoH and it does not work either.  The top setting 'use fortiguard servers' will use the fortinet fortiguard DNS servers which is the default.  I clicked on 'specify' so I can choose my own DNS servers which in this instance are the Next DNS servers.

    Does anyone know if support look at these threads?  I messaged them two days ago and I have not had a response :(

    DNS queries work, but my profile is not applied.  Thanks for responding though.

    If support would respond, I could provide logs for investigation.

      • R_P_M
      • 1 yr ago
      • Reported - view

       What are the options for the SSL certificate entry? Current setting sounds wrong to me. Also quote what it says on that info button next to it. 

      • Terry_Moss
      • 1 yr ago
      • Reported - view

       The fortigate is using its default certificate.  From what I have read, this should be fine.  Should I be using some other certificate?

    • NextDNs
    • 1 yr ago
    • Reported - view

    What do you get with https://test.nextdns.io when this is set?

      • Terry_Moss
      • 1 yr ago
      • Reported - view

      I posted some results for your request.  Thanks

    • Terry_Moss
    • 1 yr ago
    • Reported - view

    example DNS with DDNS being used as workaround:
    {
        "status": "ok",
        "protocol": "UDP",
        "profile": "fp261a576e43ad2a2e",
        "client": "123.123.123.123",
        "srcIP": "123.123.123.123",
        "destIP": "45.90.30.140",
        "anycast": true,
        "server": "vultr-syd-1",
        "clientName": "unknown"
    }

    Change to DNS over TLS you can see profile is now gone:

    {
        "status": "ok",
        "protocol": "DOT",
        "client": "123.123.123.123",
        "srcIP": "123.123.123.123",
        "destIP": "45.90.30.140",
        "anycast": true,
        "server": "vultr-syd-1",
        "clientName": "unknown-dot"
    }

    I changed my WAN/Source IP to 123.123.123.123. DNS over HTTPS also does not work.

      • Terry_Moss
      • 1 yr ago
      • Reported - view

       What I meant to say was I changed my wan IP for privacy's sake.  I also changed my profile ID as well.  Other than that, the test at the top using normal DNS is working and the test at the bottom using TLS is not working.  Thanks

      • NextDNs
      • 1 yr ago
      • Reported - view

       I think DoT implementation of Fortigate does not support SNI, that would explain this behavior. Without SNI, binding of the configuration could not work.

      • Terry_Moss
      • 1 yr ago
      • Reported - view

       Thanks, I will research it further and see what I can find.

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 10Replies
  • 1137Views
  • 4 Following