DNS over TLS and HTTPS
DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. Similarly, DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure HTTPS connection. DoT and DoH are supported in explicit mode where the FortiGate acts as an explicit DNS server that listens for DoT and DoH requests. Local-out DNS traffic over TLS and HTTPS is also supported.
Basic configurations for enabling DoT and DoH for local-out DNS queries
Before enabling DoT or DoH, ensure that they are supported by the DNS servers. The default FortiGuard DNS servers do not support DoT or DoH queries, and will drop these packets. At times, the latency status of the DNS servers might also appear high or unreachable.
Disabling DoT and DoH is recommended when they are not supported by the DNS servers.
To enable DoT and DoH DNS in the GUI:
- Go to Network > DNS.
- Enter the primary and secondary DNS server addresses.
- In the DNS Protocols section, enable TLS (TCP/853) and HTTPS (TCP/443).
- Configure the other settings as needed.
- Click Apply.
To enable DoT and DoH DNS in the CLI:
config system dns set primary 1.1.1.1 set secondary 1.0.0.1 set protocol {cleartext dot doh} end
To enable DoH on the DNS server in the GUI:
- Go to Network > DNS Servers.
- In the DNS Service on Interface section, edit an existing interface, or create a new one.
- Select a Mode, and DNS Filter profile.
- Enable DNS over HTTPS.
- Click OK.
To enable DoH on the DNS server in the CLI:
config system dns-server edit "port1" set dnsfilter-profile "dnsfilter" set doh enable next end
Examples
The following examples demonstrate how configure DNS settings to support DoT and DoH queries made to the FortiGate.
DoT
The following example uses a DNS filter profile where the education category is blocked.
To enable scanning DoT traffic in explicit mode with a DNS filter:
- Configure the DNS settings:
config system dns set primary 1.1.1.1 set secondary 1.0.0.1 set protocol dot end
- Configure the DNS filter profile:
config dnsfilter profile edit "dnsfilter" config ftgd-dns config filters edit 1 set category 30 set action block next end end next end
- Configure the DNS server settings:
config system dns-server edit "port1" set dnsfilter-profile "dnsfilter" next end
- Send a DNS query over TLS (this example uses kdig on an Ubuntu client) using the FortiGate as the DNS server. The www.ubc.ca domain belongs to the education category:
root@client:/tmp# kdig -d @10.1.100.173 +tls +header +all www.ubc.ca ;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(10.1.100.173), port(853), protocol(TCP) ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=FortiGate,CN=FG3H1E5818903681,EMAIL=support@fortinet.com ;; DEBUG: SHA-256 PIN: Xhkpv9ABEhxDLtWG+lGEndNrBR7B1xjRYlGn2ltlkb8= ;; DEBUG: #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=fortinet-subca2001,EMAIL=support@fortinet.com ;; DEBUG: SHA-256 PIN: 3T8EqFBjpRSkxQNPFagjUNeEUghXOEYp904ROlJM8yo= ;; DEBUG: #3, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate Authority,CN=fortinet-ca2,EMAIL=support@fortinet.com ;; DEBUG: SHA-256 PIN: /QfV4N3k5oxQR5RHtW/rbn/HrHgKpMLN0DEaeXY5yPg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, skipping certificate verification ;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56719 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.ubc.ca. IN A ;; ANSWER SECTION: www.ubc.ca. 60 IN A 208.91.112.55 ;; Received 44 B ;; Time 2021-03-12 23:11:27 PST ;; From 10.1.100.173@853(TCP) in 0.2 ms root@client:/tmp#
The IP returned by the FortiGate for ubc.ca belongs to the FortiGuard block page, so the query was blocked successfully.
DoH
The following example uses a DNS filter profile where the education category is blocked.
To configure scanning DoH traffic in explicit mode with a DNS filter:
- Configure the DNS settings:
config system dns set primary 1.1.1.1 set secondary 1.0.0.1 set protocol doh end
- Configure the DNS filter profile:
config dnsfilter profile edit "dnsfilter" config ftgd-dns config filters edit 1 set category 30 set action block next end end next end
- Configure the DNS server settings:
config system dns-server edit "port1" set dnsfilter-profile "dnsfilter" set doh enable next end
- In your browser, enable DNS over HTTPS.
- On your computer, edit the TCP/IP settings to use the FortiGate interface address as the DNS server.
- In your browser, go to a website in the education category (www.ubc.ca). The website is redirected to the block page.