[BUG][Functional] Fortinet defaulting to DNS over TLS (DoT) which isnt supported

[andyfase]

Bug reports which fail to provide the required information will be closed without action.

Required Basic Info

• Accelerator Version: release/v1.5.5
• Install Type: upgrade
• Upgrade from version: N/A

Describe the bug

The DNS config needs updating to explicitly set the used protocol to “cleartext” ie. set protocol cleartext

Recent fotigate versions enable DNS over TLS (DoT) as default which is not supported by R53 on the local local EC2 169.254.169.253 endpoint. The confg should be updates to explicitly set non encrypted DNS. This can be achieved via the config

set protocol cleartext

Failure Info

• DNS on the Fortigate does not work
• Any ping command to any public domain fails to resolve i.e. sudo root execute ping www.google.com
• Fortigate licenses are unable to be verified

Steps To Reproduce

1. Upgrade fortinets to version 7.0.9 or above and attempt to perform DNS resolution via sudo root execute ping www.google.com
2. DNS resolution will fail
3. Change dns config using

config system dns
set protocol cleartext
end

5. Reattempt DNS resolution and it will work sudo root execute ping www.google.com

Expected behavior
DNS resolution should work by default

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

See note from Fortinet 7.0.9 release notes re DoT

If both primary and secondary DNS servers are set to use the default FortiGuard servers prior to upgrading, the FortiGate will update them to the new servers and enable DoT after upgrading. If one or both DNS servers are not using the default FortiGuard server, upgrading will retain the existing DNS servers and DNS protocol configuration.

[Brian969]

FYI - for a new deployment, Fortinet 6.x is required and what we were still having customers deploy, Fortinet 7.x has been reported to not auto-bootstrap - root cause yet TBD.