Hi Trsitan and mike,
I've spent quite a bit of time fiddling about with this too. I'm currently running 6.4.4 on a Fortigate 60E, not using the Fortiguard DNS servers (using my ISP DNS servers) and enforcing DNS over TLS.
The new prefered option seems to be the anycast network (listed as the "deafult Fortiguard access mode" in the 6.4.4 admin guide).
The Fortigaurd anycast servers were enabled in FortiOS sometime back- but I got the impression the anycast servers were still being rolled out in the background? Certainly my experience suggested it was perhaps not completely deployed.
I had fallen back to anycast disabled (ie using non-anycast) and using HTTPS over port 8888. That seemed to be reliable and stable for me in terms of SDNS and etc.
This thread prompted me to have another look at anycast and see if I could get it working.
I was just checking the Admin guide on the docs page and see that it does list "Anycast and unicast services" (
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/622145/anycast-and-unicast-services).
This reference states Secure DNS as being on the anycast domain name of "globalsdns.fortinet.net". For me (near London UK) that resolves too 173.243.140.53.
So, if I try the following config:-
config system fortiguard
set fortiguard-anycast enable
set fortiguard-anycast-source fortinet
set protocol https
set port 443
.......
set anycast-sdns-server-ip 0.0.0.0
set anycast-sdns-server-port 853
.......
end
That seemed to work initially. But I can see from "diag test app dnsproxy 3" the "licence" issue Tristan noted. Further, this link in the admin guide (
https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/150448/troubleshooting-for-dns-filter) seems to confirm this config isn't working for SDNS.
On the positive side with this configuration (using anycast) shows really good ping times to the "web filter" and "outbreak prevention" servers of about 19ms (previously had been up to 180ms). The IP address indicated is 173.243.140.16 (which the globalguardservice.fortinet.net shown in the reference above resolves too).
So, how did you get it all working Tristan? Are you able to share you final config perhaps?
I might raise a ticket and ask some quesiton about this too.
Kind Regards,
Andy.