Technical Tip: Enable DNS over TLS

Sindre-FTNT · ‎10-28-2019

Description
This article show the new option to DNS profile on FortiOS 6.2, forcing DNS over TLS for added security.

Solution
A new option is added to DNS Profile, forcing DNS over TLS for added security.

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol.
The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

Below is a typical topology.
FortiGate (client/server)<-----(DNS over TLS)<-----------------> DNS server/client

To configure DNS over TLS using the GUI:

1) Go to Network -> DNS.
2) In DNS over TLS, select 'Enforce'.

To configure DNS over TLS using the CLI:

# FGT_A (global) # config system dns

FGT_A (dns) # show
config system dns
    set primary 8.8.8.8
    set dns-over-tls enforce
end

# FGT_A (dns) # set dns-over-tls
disable    Disable DNS over TLS.
enable     Use TLS for DNS queries if TLS is available.
enforce    Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.

# FGT_A (dns) # set dns-over-tls enforce
<Enter>

# FGT_A (dns) # set dns-over-tls enforce

# FGT_A (dns) # set ssl-certificate
<string>    please input string value
Fortinet_CA_SSL    local
Fortinet_CA_Untrusted    local
Fortinet_Factory    local
Fortinet_SSL    local
Fortinet_SSL_DSA1024    local
Fortinet_SSL_DSA2048    local
Fortinet_SSL_ECDSA256    local
Fortinet_SSL_ECDSA384    local
Fortinet_SSL_RSA1024    local
Fortinet_SSL_RSA2048    local
Server    local
testercert    local

# FGT_A (dns) # set ssl-certificate