DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. Prior to 7.0, DoT and DoH traffic silently passes through the DNS proxy. In 7.0. the WAD is able to handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection.

In the following examples, the FortiGate inspects DNS queries made over DoT and DoH to a Cloudflare DNS server. The DNS filter profile blocks the education category.

To configure DNS inspection of DoT and DoH queries in the GUI:
  1. Configure the SSL-SSH profile:
    1. Go to Security Profiles > SSL/SSH Inspection and click Create New.
    2. Set Inspection method to Full SSL Inspection. DoT and DoH can only be inspected using doing deep inspection.
    3. In the Protocol Port Mapping section, enable DNS over TLS.

    4. Configure the other settings as needed.
    5. Click OK.
  2. Configure the DNS filter profile:
    1. Go to Security Profiles > DNS Filter and click Create New.
    2. Enable Redirect botnet C&C requests to Block Portal.
    3. Enable FortiGuard Category Based Filter and set the Action for the Education category to Redirect to Block Portal.
    4. Configure the other settings as needed.
    5. Click OK.
  3. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enable DNS Filter and select the profile you created.
    3. For