In the past few days, multiple of our resellers have reported issues where DNS resolution using the default Fortinet FortiGuard DNS servers is not functioning as expected.
Workaround
Fortinet TAC
Fortinet has confirmed that this is a known issue affecting certain FortiOS 7.4.x releases when DNS over TLS (DoT) is enabled. As a temporary workaround, they recommend switching DNS communication to cleartext mode:
config system dns
set protocol cleartext
endBOLL
Another possible workaround is to switch to a custom DNS provider, such as your ISP’s DNS servers or a trusted public DNS resolver. To ensure your DNS queries are encrypted in transit, configure the resolver to use DNS over TLS (DoT); otherwise, standard DNS traffic is typically sent unencrypted and could be observed or modified by intermediaries on the network.
Important Note on DNS over TLS (DoT)
If you are using custom DNS servers with DNS over TLS enabled, be aware of a common configuration pitfall: the server hostname must match the SSL certificate presented by the DNS provider.
If the hostname does not match the certificate, TLS negotiation will fail, and DNS resolution will not work. This issue often appears when using an IP address instead of a proper DNS name for the DoT server.
Use the correct DNS name of the DNS Servers.
Or remove the DNS Server Hostname check by leaving the field empty.
For more technical details and guidance, refer to the official Fortinet technical note:
FortiGate Technical Tip: DNS server is unreachable when using custom DNS
