DNS over TLS and HTTPS

DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. Similarly, DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure HTTPS connection. DoT and DoH are supported in explicit mode where the FortiGate acts as an explicit DNS server that listens for DoT and DoH requests. Local-out DNS traffic over TLS and HTTPS is also supported.

Basic configurations for enabling DoT and DoH for local-out DNS queries

To enable DoT and DoH DNS in the GUI:
  1. Go to Network > DNS.
  2. Enter the primary and secondary DNS server addresses.
  3. In the DNS Protocols section, enable TLS (TCP/853) and HTTPS (TCP/443).

  4. Configure the other settings as needed.
  5. Click Apply.
To enable DoT and DoH DNS in the CLI:
config system dns
    set primary 1.1.1.1
    set secondary 1.0.0.1
    set protocol {cleartext dot doh}
end
To enable DoH on the DNS server in the GUI:
  1. Go to Network > DNS Servers.
  2. In the DNS Service on Interface section, edit an existing interface, or create a new one.
  3. Select a Mode, and DNS Filter profile.
  4. Enable DNS over HTTPS.

  5. Click OK.
To enable DoH on the DNS server in the CLI:
config system dns-server
    edit "port1"
        set dnsfilter-profile "dnsfilter"
        set doh enable
    next
end

Examples

The following examples demonstrate how configure DNS settings to support DoT and DoH queries made to the FortiGate.

DoT

The following example uses a DNS filter profile where the education category is blocked.

To enable scanning DoT traffic in explicit mode with a DNS filter:
  1. Configure the DNS settings:
    config system dns
        set primary 1.1.1.1
        set secondary 1.0.0.1
        set protocol dot
    end
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Configure the DNS server settings:
    config system dns-server
        edit "port1"
            set dnsfilter-profile "dnsfilter"
        next
    end