Description
FortiOS DNS filter unable to control encrypted DNS traffic
Severity : 3 - Medium
Acknowledgement : Fortinet thank John Headley from VPLS Solutions bring this issue to our attention with certain proofs.
Scope
FortiOS 6.4.x and earlier when using DNS Filter
Impact: DNS filter bypass, Operational Risk
Impact Detail:
DNS over HTTPS (DoH) and DNS over TLS (DoT) are new technologies that allow secure, encrypted DNS transactions. FortiOS DNS filter is based on the standard DNS protocol; as such, the configured DNS filter policies can be bypassed using DoH or DoT, unless the FortiOS firewall policies explicitly block DoH/DoT services.
Affected Products:
FortiOS's DNS Filter in firmware versions 6.4.x and lower only supports the standard DNS protocol
Solution
Upgrade to FortiOS 7.0.x or later. More details on the new DoH/DoT support in DNS Filter can be read here.
Workaround:
Prevent DNS over HTTPS and DNS over TLS remote services.
In order to do that, FortiOS administrators may block the TLS (generally TCP port 853) and HTTPS (generally TCP port 443) traffic to publicly known DoT/DoH service providers, using FortiOS firewall policies.
Note: Another strategy is using Web filter policies instead of DNS filtering to perform website or URL access control.
