HTTP3 deep inspection, QUIC certificate inspection, DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes
The FortiProxy can handle the QUIC/TLS handshake and perform deep inspection for HTTP3 and QUIC traffic, including certificate inspection. This allows for faster and more secure DNS resolution, with improved privacy and reduced latency.
DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) are also supported in proxy mode inspection for transparent and local-in explicit modes. With DoQ and DoH3, connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH).
In transparent mode, the FortiProxy is acting as a proxy, forwarding DNS queries, and not as a DNS server. In local-in DNS mode, the FortiProxy acts as the DNS server and a DNS filter profile is applied in the system DNS server.
DoQ transparent and local-in query can be achieved using tools or applications in Linux, such as the q tiny command line DNS client from Natesales.
DoH3 transparent and local-in query can be achieved in Linux using q or Curl. In Windows, change the client network DNS server to the FortiProxy and treat the FortiProxy as a HTTP3 DNS server listening for DoH3 connections.
To configure DoQ in transparent mode:
-
Enable QUIC in the ssl-ssh-profile:
config firewall ssl-ssh-profile edit "protocols" config dot set status deep-inspection set quic inspect end next end
-
Configure a DNS filter profile:
config dnsfilter profile edit "dnsfilter_fgd" config ftgd-dns config filters edit 1 set category 30 set action block next end end next end
-
Apply the profiles to a proxy firewall policy:
config firewall policy edit 1 set name "dnsfilter" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set profile-protocol-options "protocol" set ssl-ssh-profile "protocols" set dnsfilter-profile "dnsfilter_fgd" set logtraffic all set nat enable next end
-
Test the configuration:
On the client, use q to query a FortiGuard category30 domain with the Adguard DNS server over QUIC. The default redirect block IP address should be returned:
pc03:~# q www.sfu.ca @quic://dns.adguard.com --tls-no-verify 2023/08/18 18:53:44 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details. www.sfu.ca. 1m0s A 208.91.112.55 www.sfu.ca. 1m0s AAAA 2620:101:9000:53::55
To configure DoQ in local-in mode:
-
In the FortiProxy DNS server configuration, enable DoQ for a port with the previously configured DNS filter profile applied:
config system dns-server edit "port2" set dnsfilter-profile "dnsfilter_fgd" set doq enable next end
-
Test the configuration:
On the client, use q to query a FortiGuard category30 domain with the FortiProxy interface over QUIC. The default redirect block IP address should be returned:
pc03:~# q www.mcgill.ca @quic://10.1.100.150 --tls-no-verify 2023/08/18 20:05:53 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details. www.mcgill.ca. 1m0s A 208.91.112.55 www.mcgill.ca. 1m0s AAAA 2620:101:9000:53::55
To configure DoH3 in transparent mode:
-
Enable QUIC in the ssl-ssh-profile:
config firewall ssl-ssh-profile edit "protocols" config https set ports 443 8443 set status deep-inspection set quic inspect end next end
-
Configure a DNS filter profile:
config dnsfilter profile edit "dnsfilter_fgd" config ftgd-dns config filters edit 1 set category 30 set action block next end end next end
-
Apply the profiles to a proxy firewall policy:
config firewall policy edit 1 set name "dnsfilter" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set profile-protocol-options "protocol" set ssl-ssh-profile "protocols" set dnsfilter-profile "dnsfilter_fgd" set logtraffic all set nat enable next end
-
Test the configuration:
On the client with HTTP3 support, use q or Curl to query a FortiGuard category30 domain with the Adguard DNS server or Cloudflare DNS server over QUIC. The default redirect block IP address should be returned:
[test@localhost q]$ sudo ./q www.mcgill.ca --http3 @https://dns.adguard.com --tls-insecure-skip-verify www.mcgill.ca. 1m A 208.91.112.55 www.mcgill.ca. 1m AAAA 2620:101:9000:53::55
To configure DoH3 in local-in mode:
-
In the FortiProxy DNS server configuration, enable DoH3 for a port with the previously configured DNS filter profile applied:
config system dns-server edit "port2" set dnsfilter-profile "dnsfilter_fgd" set doh3 enable next end
-
Test the configuration:
On the client with HTTP3 support, use q or Curl to query a FortiGuard category30 domain with the FortiProxy interface over HTTP3. The default redirect block IP address should be returned:
[test@localhost q]$ sudo ./q www.mcgill.ca --http3 @https://10.4.62.160 --tls-insecure-skip-verify www.mcgill.ca. 1m A 208.91.112.55 www.mcgill.ca. 1m AAAA 2620:101:9000:53::55