Fortinet black logo

Administration Guide

DNS inspection with DoT and DoH

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. Prior to 7.0, DoT and DoH traffic silently passes through the DNS proxy. In 7.0. the WAD is able to handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection.

In the following examples, the FortiGate inspects DNS queries made over DoT and DoH to a Cloudflare DNS server. The DNS filter profile blocks the education category.

To configure DNS inspection of DoT and DoH queries in the GUI:
  1. Configure the SSL-SSH profile:
    1. Go to Security Profiles > SSL/SSH Inspection and click Create New.
    2. Set Inspection method to Full SSL Inspection. DoT and DoH can only be inspected using doing deep inspection.
    3. In the Protocol Port Mapping section, enable DNS over TLS.

    4. Configure the other settings as needed.
    5. Click OK.
  2. Configure the DNS filter profile:
    1. Go to Security Profiles > DNS Filter and click Create New.
    2. Enable Redirect botnet C&C requests to Block Portal.
    3. Enable FortiGuard Category Based Filter and set the Action for the Education category to Redirect to Block Portal.
    4. Configure the other settings as needed.
    5. Click OK.
  3. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enable DNS Filter and select the profile you created.
    3. For SSL Inspection, select the profile you created.
    4. Configure the other settings as needed.
    5. Click OK.
To configure DNS inspection of DoT and DoH queries in the CLI:
  1. Configure the SSL-SSH profile:
    config firewall ssl-ssh-profile
        edit "ssl"
            config dot
                set status deep-inspection
                set client-certificate bypass
                set unsupported-ssl-cipher allow
                set unsupported-ssl-negotiation allow
                set expired-server-cert block
                set revoked-server-cert block
                set untrusted-server-cert allow
                set cert-validation-timeout allow
                set cert-validation-failure block
            end
        next
    end
    
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
            set block-botnet enable
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port1"
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set webfilter-profile "webfilter"
            set dnsfilter-profile "dnsfilter"
            set nat enable
        next
    end

Testing the connection

To query DNS over TLS:
  1. Send a DNS query over TLS to the Cloudflare server 1.1.1.1 (this example uses kdig on an Ubuntu client). The www.ubc.ca domain belongs to the education category:
    ~$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com www.ubc.ca
    ;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
    ;; DEBUG: TLS, imported 128 system certificates
    ;; DEBUG: TLS, received certificate hierarchy:
    ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
    ;; DEBUG:      SHA-256 PIN: elpYCnCs9ZtkQBI4+cb2QtZcyOl5UI9jMkSvbTsTad0=
    ;; DEBUG:  #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=FG3H1E5818903681,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: s48VtdODlNZfAG2g/92hMLhitU51qsP9pkHAUtTJ+f4=
    ;; DEBUG: TLS, skipping certificate PIN check
    ;; DEBUG: TLS, The certificate is trusted.
    ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
    ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56850
    ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;; www.ubc.ca.                  IN      A
    
    ;; ANSWER SECTION:
    www.ubc.ca.             60      IN      A       208.91.112.55
    
    ;; Received 44 B
    ;; Time 2021-03-12 06:53:37 UTC
    ;; From 1.1.1.1@853(TCP) in 6.0 ms

    In this query, the FortiGate inspects the DNS query to the Cloudflare DNS server. It replaces the result with the IP of the FortiGuard block page, which successfully blocks the query.

To query DNS over HTTPS:
  1. In your browser, enable DNS over HTTPS.
  2. Go to www.ubc.ca. The website is redirected to the block page.

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. Prior to 7.0, DoT and DoH traffic silently passes through the DNS proxy. In 7.0. the WAD is able to handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection.

In the following examples, the FortiGate inspects DNS queries made over DoT and DoH to a Cloudflare DNS server. The DNS filter profile blocks the education category.

To configure DNS inspection of DoT and DoH queries in the GUI:
  1. Configure the SSL-SSH profile:
    1. Go to Security Profiles > SSL/SSH Inspection and click Create New.
    2. Set Inspection method to Full SSL Inspection. DoT and DoH can only be inspected using doing deep inspection.
    3. In the Protocol Port Mapping section, enable DNS over TLS.

    4. Configure the other settings as needed.
    5. Click OK.
  2. Configure the DNS filter profile:
    1. Go to Security Profiles > DNS Filter and click Create New.
    2. Enable Redirect botnet C&C requests to Block Portal.
    3. Enable FortiGuard Category Based Filter and set the Action for the Education category to Redirect to Block Portal.
    4. Configure the other settings as needed.
    5. Click OK.
  3. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enable DNS Filter and select the profile you created.
    3. For SSL Inspection, select the profile you created.
    4. Configure the other settings as needed.
    5. Click OK.
To configure DNS inspection of DoT and DoH queries in the CLI:
  1. Configure the SSL-SSH profile:
    config firewall ssl-ssh-profile
        edit "ssl"
            config dot
                set status deep-inspection
                set client-certificate bypass
                set unsupported-ssl-cipher allow
                set unsupported-ssl-negotiation allow
                set expired-server-cert block
                set revoked-server-cert block
                set untrusted-server-cert allow
                set cert-validation-timeout allow
                set cert-validation-failure block
            end
        next
    end
    
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
            set block-botnet enable
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port1"
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set webfilter-profile "webfilter"
            set dnsfilter-profile "dnsfilter"
            set nat enable
        next
    end

Testing the connection

To query DNS over TLS:
  1. Send a DNS query over TLS to the Cloudflare server 1.1.1.1 (this example uses kdig on an Ubuntu client). The www.ubc.ca domain belongs to the education category:
    ~$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com www.ubc.ca
    ;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
    ;; DEBUG: TLS, imported 128 system certificates
    ;; DEBUG: TLS, received certificate hierarchy:
    ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
    ;; DEBUG:      SHA-256 PIN: elpYCnCs9ZtkQBI4+cb2QtZcyOl5UI9jMkSvbTsTad0=
    ;; DEBUG:  #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=FG3H1E5818903681,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: s48VtdODlNZfAG2g/92hMLhitU51qsP9pkHAUtTJ+f4=
    ;; DEBUG: TLS, skipping certificate PIN check
    ;; DEBUG: TLS, The certificate is trusted.
    ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
    ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56850
    ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;; www.ubc.ca.                  IN      A
    
    ;; ANSWER SECTION:
    www.ubc.ca.             60      IN      A       208.91.112.55
    
    ;; Received 44 B
    ;; Time 2021-03-12 06:53:37 UTC
    ;; From 1.1.1.1@853(TCP) in 6.0 ms

    In this query, the FortiGate inspects the DNS query to the Cloudflare DNS server. It replaces the result with the IP of the FortiGuard block page, which successfully blocks the query.

To query DNS over HTTPS:
  1. In your browser, enable DNS over HTTPS.
  2. Go to www.ubc.ca. The website is redirected to the block page.