FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ericwang_FTNT
Article Id 193862

Description
This article explains why Doh/DoT traffic bypasses the FortiOS DNS filter. DNS over HTTPS (DoH) and DNS over TLS (DoT) are new technologies that allow secure, encrypted DNS transactions.

FortiOS DNS filter is based on the standard DNS protocol; as such, the configured DNS filter policies can be bypassed using DoH or DoT, unless the FortiOS firewall policies explicitly block DoH/DoT services.

Scope
FortiOS when using DNS filter.

Solution
The support for DoH/DoT filtering in FortiOS currently is under evaluation.

The current solution is to prevent DNS over HTTPS and DNS over TLS remote services.

In order to do that, FortiOS administrators may block the TLS (generally TCP port 853) and HTTPS (generally TCP port 443) traffic to publicly known DoT/DoH service providers, using FortiOS firewall policies.

Another strategy is using Web filter policies instead of DNS filtering to perform website or URL access control.




Contributors