Technical Tip: DoH/DoT traffic bypassing FortiOS DNS filter

Description

This article explains why Doh/DoT traffic bypasses the FortiOS DNS filter. DNS over HTTPS (DoH) and DNS over TLS (DoT) are new technologies that allow secure, encrypted DNS transactions.

FortiOS DNS filter is based on the standard DNS protocol; as such, the configured DNS filter policies can be bypassed using DoH or DoT, unless the FortiOS firewall policies explicitly block DoH/DoT services.

Scope

FortiOS when using DNS filter.

Solution

The support for DoH/DoT filtering in FortiOS currently is under evaluation.

The current solution is to prevent DNS over HTTPS and DNS over TLS remote services.

To do that, FortiOS administrators may block the TLS (generally TCP port 853) and HTTPS (generally TCP port 443) traffic to publicly known DoT/DoH service providers, using FortiOS firewall policies.

Another strategy is using Web filter policies instead of DNS filtering to perform website or URL access control.

Starting from FortiOS 7.0, FortiGate can now inspect DoT/DoH traffic:
New features or enhancements