Fortinet white logo
Fortinet white logo

Administration Guide

HTTP3 deep inspection, QUIC certificate inspection, DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes

HTTP3 deep inspection, QUIC certificate inspection, DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes

The FortiProxy can handle the QUIC/TLS handshake and perform deep inspection for HTTP3 and QUIC traffic, including certificate inspection. This allows for faster and more secure DNS resolution, with improved privacy and reduced latency.

DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) are also supported in proxy mode inspection for transparent and local-in explicit modes. With DoQ and DoH3, connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH).

In transparent mode, the FortiProxy is acting as a proxy, forwarding DNS queries, and not as a DNS server. In local-in DNS mode, the FortiProxy acts as the DNS server and a DNS filter profile is applied in the system DNS server.

DoQ transparent and local-in query can be achieved using tools or applications in Linux, such as the q tiny command line DNS client from Natesales.

DoH3 transparent and local-in query can be achieved in Linux using q or Curl. In Windows, change the client network DNS server to the FortiProxy and treat the FortiProxy as a HTTP3 DNS server listening for DoH3 connections.

To configure DoQ in transparent mode:
  1. Enable QUIC in the ssl-ssh-profile:

    config firewall ssl-ssh-profile
        edit "protocols"
            config dot
                set status deep-inspection
                set quic inspect
            end
        next
    end
  2. Configure a DNS filter profile:

    config dnsfilter profile
        edit "dnsfilter_fgd"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Apply the profiles to a proxy firewall policy:

    config firewall policy
        edit 1
            set name "dnsfilter"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set dnsfilter-profile "dnsfilter_fgd"
            set logtraffic all
            set nat enable
        next
    end
  4. Test the configuration:

    On the client, use q to query a FortiGuard category30 domain with the Adguard DNS server over QUIC. The default redirect block IP address should be returned:

    pc03:~# q www.sfu.ca @quic://dns.adguard.com --tls-no-verify
    2023/08/18 18:53:44 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
    www.sfu.ca. 1m0s A 208.91.112.55
    www.sfu.ca. 1m0s AAAA 2620:101:9000:53::55
To configure DoQ in local-in mode:
  1. In the FortiProxy DNS server configuration, enable DoQ for a port with the previously configured DNS filter profile applied:

    config system dns-server
        edit "port2"
            set dnsfilter-profile "dnsfilter_fgd"
            set doq enable
        next
    end
  2. Test the configuration:

    On the client, use q to query a FortiGuard category30 domain with the FortiProxy interface over QUIC. The default redirect block IP address should be returned:

    pc03:~# q www.mcgill.ca @quic://10.1.100.150 --tls-no-verify
    2023/08/18 20:05:53 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
    www.mcgill.ca. 1m0s A 208.91.112.55
    www.mcgill.ca. 1m0s AAAA 2620:101:9000:53::55
    
To configure DoH3 in transparent mode:
  1. Enable QUIC in the ssl-ssh-profile:

    config firewall ssl-ssh-profile
        edit "protocols"
            config https
                set ports 443 8443
                set status deep-inspection
                set quic inspect
            end
        next
    end
  2. Configure a DNS filter profile:

    config dnsfilter profile
        edit "dnsfilter_fgd"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Apply the profiles to a proxy firewall policy:

    config firewall policy
        edit 1
            set name "dnsfilter"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set dnsfilter-profile "dnsfilter_fgd"
            set logtraffic all
            set nat enable
        next
    end
  4. Test the configuration:

    On the client with HTTP3 support, use q or Curl to query a FortiGuard category30 domain with the Adguard DNS server or Cloudflare DNS server over QUIC. The default redirect block IP address should be returned:

    [test@localhost q]$ sudo ./q www.mcgill.ca --http3 @https://dns.adguard.com --tls-insecure-skip-verify
    www.mcgill.ca. 1m A 208.91.112.55
    www.mcgill.ca. 1m AAAA 2620:101:9000:53::55
    
To configure DoH3 in local-in mode:
  1. In the FortiProxy DNS server configuration, enable DoH3 for a port with the previously configured DNS filter profile applied:

    config system dns-server
        edit "port2"
            set dnsfilter-profile "dnsfilter_fgd"
            set doh3 enable
        next
    end
  2. Test the configuration:

    On the client with HTTP3 support, use q or Curl to query a FortiGuard category30 domain with the FortiProxy interface over HTTP3. The default redirect block IP address should be returned:

    [test@localhost q]$ sudo ./q www.mcgill.ca --http3 @https://10.4.62.160 --tls-insecure-skip-verify
    www.mcgill.ca. 1m A 208.91.112.55
    www.mcgill.ca. 1m AAAA 2620:101:9000:53::55
    

HTTP3 deep inspection, QUIC certificate inspection, DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes

HTTP3 deep inspection, QUIC certificate inspection, DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes

The FortiProxy can handle the QUIC/TLS handshake and perform deep inspection for HTTP3 and QUIC traffic, including certificate inspection. This allows for faster and more secure DNS resolution, with improved privacy and reduced latency.

DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) are also supported in proxy mode inspection for transparent and local-in explicit modes. With DoQ and DoH3, connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH).

In transparent mode, the FortiProxy is acting as a proxy, forwarding DNS queries, and not as a DNS server. In local-in DNS mode, the FortiProxy acts as the DNS server and a DNS filter profile is applied in the system DNS server.

DoQ transparent and local-in query can be achieved using tools or applications in Linux, such as the q tiny command line DNS client from Natesales.

DoH3 transparent and local-in query can be achieved in Linux using q or Curl. In Windows, change the client network DNS server to the FortiProxy and treat the FortiProxy as a HTTP3 DNS server listening for DoH3 connections.

To configure DoQ in transparent mode:
  1. Enable QUIC in the ssl-ssh-profile:

    config firewall ssl-ssh-profile
        edit "protocols"
            config dot
                set status deep-inspection
                set quic inspect
            end
        next
    end
  2. Configure a DNS filter profile:

    config dnsfilter profile
        edit "dnsfilter_fgd"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Apply the profiles to a proxy firewall policy:

    config firewall policy
        edit 1
            set name "dnsfilter"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set dnsfilter-profile "dnsfilter_fgd"
            set logtraffic all
            set nat enable
        next
    end
  4. Test the configuration:

    On the client, use q to query a FortiGuard category30 domain with the Adguard DNS server over QUIC. The default redirect block IP address should be returned:

    pc03:~# q www.sfu.ca @quic://dns.adguard.com --tls-no-verify
    2023/08/18 18:53:44 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
    www.sfu.ca. 1m0s A 208.91.112.55
    www.sfu.ca. 1m0s AAAA 2620:101:9000:53::55
To configure DoQ in local-in mode:
  1. In the FortiProxy DNS server configuration, enable DoQ for a port with the previously configured DNS filter profile applied:

    config system dns-server
        edit "port2"
            set dnsfilter-profile "dnsfilter_fgd"
            set doq enable
        next
    end
  2. Test the configuration:

    On the client, use q to query a FortiGuard category30 domain with the FortiProxy interface over QUIC. The default redirect block IP address should be returned:

    pc03:~# q www.mcgill.ca @quic://10.1.100.150 --tls-no-verify
    2023/08/18 20:05:53 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
    www.mcgill.ca. 1m0s A 208.91.112.55
    www.mcgill.ca. 1m0s AAAA 2620:101:9000:53::55
    
To configure DoH3 in transparent mode:
  1. Enable QUIC in the ssl-ssh-profile:

    config firewall ssl-ssh-profile
        edit "protocols"
            config https
                set ports 443 8443
                set status deep-inspection
                set quic inspect
            end
        next
    end
  2. Configure a DNS filter profile:

    config dnsfilter profile
        edit "dnsfilter_fgd"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
        next
    end
  3. Apply the profiles to a proxy firewall policy:

    config firewall policy
        edit 1
            set name "dnsfilter"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set dnsfilter-profile "dnsfilter_fgd"
            set logtraffic all
            set nat enable
        next
    end
  4. Test the configuration:

    On the client with HTTP3 support, use q or Curl to query a FortiGuard category30 domain with the Adguard DNS server or Cloudflare DNS server over QUIC. The default redirect block IP address should be returned:

    [test@localhost q]$ sudo ./q www.mcgill.ca --http3 @https://dns.adguard.com --tls-insecure-skip-verify
    www.mcgill.ca. 1m A 208.91.112.55
    www.mcgill.ca. 1m AAAA 2620:101:9000:53::55
    
To configure DoH3 in local-in mode:
  1. In the FortiProxy DNS server configuration, enable DoH3 for a port with the previously configured DNS filter profile applied:

    config system dns-server
        edit "port2"
            set dnsfilter-profile "dnsfilter_fgd"
            set doh3 enable
        next
    end
  2. Test the configuration:

    On the client with HTTP3 support, use q or Curl to query a FortiGuard category30 domain with the FortiProxy interface over HTTP3. The default redirect block IP address should be returned:

    [test@localhost q]$ sudo ./q www.mcgill.ca --http3 @https://10.4.62.160 --tls-insecure-skip-verify
    www.mcgill.ca. 1m A 208.91.112.55
    www.mcgill.ca. 1m AAAA 2620:101:9000:53::55