Fortinet black logo

Administration Guide

DNS over TLS and HTTPS

DNS over TLS and HTTPS

DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. Similarly, DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure HTTPS connection. DoT and DoH are supported in explicit mode where the FortiGate acts as an explicit DNS server that listens for DoT and DoH requests. Local-out DNS traffic over TLS and HTTPS is also supported.

Basic configurations for enabling DoT and DoH for local-out DNS queries

Before enabling DoT or DoH, ensure that they are supported by the DNS servers. The default FortiGuard DNS servers do not support DoT or DoH queries, and will drop these packets. At times, the latency status of the DNS servers might also appear high or unreachable.

Disabling DoT and DoH is recommended when they are not supported by the DNS servers.

To enable DoT and DoH DNS in the GUI:
  1. Go to Network > DNS.
  2. Enter the primary and secondary DNS server addresses.
  3. In the DNS Protocols section, enable TLS (TCP/853) and HTTPS (TCP/443).

  4. Configure the other settings as needed.
  5. Click Apply.
To enable DoT and DoH DNS in the CLI:
config system dns
    set primary 1.1.1.1
    set secondary 1.0.0.1
    set protocol {cleartext dot doh}
end
To enable DoH on the DNS server in the GUI:
  1. Go to Network > DNS Servers.
  2. In the DNS Service on Interface section, edit an existing interface, or create a new one.
  3. Select a Mode, and DNS Filter profile.
  4. Enable DNS over HTTPS.

  5. Click OK.
To enable DoH on the DNS server in the CLI:
config system dns-server
    edit "port1"
        set dnsfilter-profile "dnsfilter"
        set doh enable
    next
end

Examples

The following examples demonstrate how configure DNS settings to support DoT and DoH queries made to the FortiGate.

DoT

The following example uses a DNS filter profile where the education category is blocked.

To enable scanning DoT traffic in explicit mode with a DNS filter:
  1. Configure the DNS settings:
    config system dns
        set primary 1.1.1.1
        set secondary 1.0.0.1
        set protocol dot
    end
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Configure the DNS server settings:
    config system dns-server
        edit "port1"
            set dnsfilter-profile "dnsfilter"
        next
    end
  4. Send a DNS query over TLS (this example uses kdig on an Ubuntu client) using the FortiGate as the DNS server. The www.ubc.ca domain belongs to the education category:
    root@client:/tmp# kdig -d @10.1.100.173 +tls +header +all www.ubc.ca 
    ;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(10.1.100.173), port(853), protocol(TCP)
    ;; DEBUG: TLS, received certificate hierarchy:
    ;; DEBUG:  #1, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=FortiGate,CN=FG3H1E5818903681,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: Xhkpv9ABEhxDLtWG+lGEndNrBR7B1xjRYlGn2ltlkb8=
    ;; DEBUG:  #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=fortinet-subca2001,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: 3T8EqFBjpRSkxQNPFagjUNeEUghXOEYp904ROlJM8yo=
    ;; DEBUG:  #3, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=fortinet-ca2,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: /QfV4N3k5oxQR5RHtW/rbn/HrHgKpMLN0DEaeXY5yPg=
    ;; DEBUG: TLS, skipping certificate PIN check
    ;; DEBUG: TLS, skipping certificate verification
    ;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
    ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56719
    ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;; www.ubc.ca.                  IN      A
    
    ;; ANSWER SECTION:
    www.ubc.ca.             60      IN      A       208.91.112.55
    
    ;; Received 44 B
    ;; Time 2021-03-12 23:11:27 PST
    ;; From 10.1.100.173@853(TCP) in 0.2 ms
    root@client:/tmp#

    The IP returned by the FortiGate for ubc.ca belongs to the FortiGuard block page, so the query was blocked successfully.

DoH

The following example uses a DNS filter profile where the education category is blocked.

To configure scanning DoH traffic in explicit mode with a DNS filter:
  1. Configure the DNS settings:
    config system dns
        set primary 1.1.1.1
        set secondary 1.0.0.1
        set protocol doh
    end
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Configure the DNS server settings:
    config system dns-server
        edit "port1"
            set dnsfilter-profile "dnsfilter"
            set doh enable
        next
    end
  4. In your browser, enable DNS over HTTPS.
  5. On your computer, edit the TCP/IP settings to use the FortiGate interface address as the DNS server.
  6. In your browser, go to a website in the education category (www.ubc.ca). The website is redirected to the block page.

DNS over TLS and HTTPS

DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. Similarly, DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure HTTPS connection. DoT and DoH are supported in explicit mode where the FortiGate acts as an explicit DNS server that listens for DoT and DoH requests. Local-out DNS traffic over TLS and HTTPS is also supported.

Basic configurations for enabling DoT and DoH for local-out DNS queries

Before enabling DoT or DoH, ensure that they are supported by the DNS servers. The default FortiGuard DNS servers do not support DoT or DoH queries, and will drop these packets. At times, the latency status of the DNS servers might also appear high or unreachable.

Disabling DoT and DoH is recommended when they are not supported by the DNS servers.

To enable DoT and DoH DNS in the GUI:
  1. Go to Network > DNS.
  2. Enter the primary and secondary DNS server addresses.
  3. In the DNS Protocols section, enable TLS (TCP/853) and HTTPS (TCP/443).

  4. Configure the other settings as needed.
  5. Click Apply.
To enable DoT and DoH DNS in the CLI:
config system dns
    set primary 1.1.1.1
    set secondary 1.0.0.1
    set protocol {cleartext dot doh}
end
To enable DoH on the DNS server in the GUI:
  1. Go to Network > DNS Servers.
  2. In the DNS Service on Interface section, edit an existing interface, or create a new one.
  3. Select a Mode, and DNS Filter profile.
  4. Enable DNS over HTTPS.

  5. Click OK.
To enable DoH on the DNS server in the CLI:
config system dns-server
    edit "port1"
        set dnsfilter-profile "dnsfilter"
        set doh enable
    next
end

Examples

The following examples demonstrate how configure DNS settings to support DoT and DoH queries made to the FortiGate.

DoT

The following example uses a DNS filter profile where the education category is blocked.

To enable scanning DoT traffic in explicit mode with a DNS filter:
  1. Configure the DNS settings:
    config system dns
        set primary 1.1.1.1
        set secondary 1.0.0.1
        set protocol dot
    end
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Configure the DNS server settings:
    config system dns-server
        edit "port1"
            set dnsfilter-profile "dnsfilter"
        next
    end
  4. Send a DNS query over TLS (this example uses kdig on an Ubuntu client) using the FortiGate as the DNS server. The www.ubc.ca domain belongs to the education category:
    root@client:/tmp# kdig -d @10.1.100.173 +tls +header +all www.ubc.ca 
    ;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(10.1.100.173), port(853), protocol(TCP)
    ;; DEBUG: TLS, received certificate hierarchy:
    ;; DEBUG:  #1, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=FortiGate,CN=FG3H1E5818903681,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: Xhkpv9ABEhxDLtWG+lGEndNrBR7B1xjRYlGn2ltlkb8=
    ;; DEBUG:  #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=fortinet-subca2001,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: 3T8EqFBjpRSkxQNPFagjUNeEUghXOEYp904ROlJM8yo=
    ;; DEBUG:  #3, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=fortinet-ca2,EMAIL=support@fortinet.com
    ;; DEBUG:      SHA-256 PIN: /QfV4N3k5oxQR5RHtW/rbn/HrHgKpMLN0DEaeXY5yPg=
    ;; DEBUG: TLS, skipping certificate PIN check
    ;; DEBUG: TLS, skipping certificate verification
    ;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
    ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56719
    ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;; www.ubc.ca.                  IN      A
    
    ;; ANSWER SECTION:
    www.ubc.ca.             60      IN      A       208.91.112.55
    
    ;; Received 44 B
    ;; Time 2021-03-12 23:11:27 PST
    ;; From 10.1.100.173@853(TCP) in 0.2 ms
    root@client:/tmp#

    The IP returned by the FortiGate for ubc.ca belongs to the FortiGuard block page, so the query was blocked successfully.

DoH

The following example uses a DNS filter profile where the education category is blocked.

To configure scanning DoH traffic in explicit mode with a DNS filter:
  1. Configure the DNS settings:
    config system dns
        set primary 1.1.1.1
        set secondary 1.0.0.1
        set protocol doh
    end
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Configure the DNS server settings:
    config system dns-server
        edit "port1"
            set dnsfilter-profile "dnsfilter"
            set doh enable
        next
    end
  4. In your browser, enable DNS over HTTPS.
  5. On your computer, edit the TCP/IP settings to use the FortiGate interface address as the DNS server.
  6. In your browser, go to a website in the education category (www.ubc.ca). The website is redirected to the block page.