Skip to main content
nbctcp
nbctcp
New Member
October 23, 2019
Question

DNS Over HTTPS

  • October 23, 2019
  • 2 replies
  • 8682 views

Hi,

 

my ISP only allow me to use their DNS. Can't use any public DNS When I do research, I found Fortigate can do DNS over TLS, But I never found article on how to that with "DNS over HTTPS" If I can do "DNS over HTTPS" with FortiOS 6.x.

Could someone gimme the link

 

tq

    2 replies

    emnoc
    emnoc
    New Member
    October 23, 2019

    So how does your ISP control your DNS lookups?  And for DoH are you asking if the fortigate can be a DNS client?

     

    I do not believe a fortigate can do DNS lookup and use DoH. A few DoH client exists and really are they installed as a default. 

     

    I stand corrected 6.2 has it 

     https://docs.fortinet.com/document/fortigate/6.2.0/new-features/642344/dns-over-tls

      

    Ken Felix

     

    nbctcp
    nbctcpAuthor
    New Member
    February 17, 2020

    Since DOH is not available. I am testing DOT here

     

    INFO:

    -FGT80d with OS 6.2.3

    I am following your link emnoc

     

    PROBLEM: 1. from my pc in LAN network

    > ping www.xxx.com will be blocked but not for www.cnn.com

     

    QUESTIONS: 1. AFAIK DOT suppose to bypass dns filter by my isp

    What miss in my steps.

    2. Should I set Forti as DNS server for users PC?

    tq

     

    CONFIG

    config system dns

    set primary 8.8.8.8 set dns-over-tls enforce set domain "domain.com" end

    config firewall policy

    edit 1 set name "LAN2WAN" set srcintf "port4" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set inspection-mode proxy set nat enable next end

    config system interface edit "port1" set vdom "root" set ip 192.168.88.22 255.255.255.0 set allowaccess ping https ssh fgfm fabric set type physical set lldp-reception enable set role wan

    edit "port4" set vdom "root" set ip 10.0.4.1 255.255.255.0 set allowaccess ping https ssh fgfm set type physical set explicit-web-proxy enable set device-identification enable set lldp-transmission enable set role lan next

    end

    config system dhcp server edit 1 set default-gateway 10.0.4.1 set netmask 255.255.255.0 set interface "port4" config ip-range edit 1 set start-ip 10.0.4.101 set end-ip 10.0.4.200 next end set dns-server1 8.8.8.8 next end

     

    # diagnose test application dnsproxy 3 worker idx: 0 vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=2 cert=Fortinet_Factory dns64 is disabled dns-server:208.91.112.220:53 tz=0 tls=0 req=0 to=0 res=0 rt=1482 rating=1 ready=0 timer=22 probe=7 failure=0 last_failed=0 dns-server:8.8.8.8:853 tz=0 tls=2 req=26 to=0 res=26 rt=4 rating=0 ready=1 timer=0 probe=0 failure=0 last_failed=0 vfid=0, interface=port4, ifindex=6, forward-only, DNS search domain: ngtrain.com, DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000 DNS FD: udp_s=16 udp_c=21:22 ha_c=26 unix_s=27, unix_nb_s=28, unix_nc_s=29 v6_udp_s=15, v6_udp_c=24:25, snmp=30, redir=17, v6_redir=18 DNS FD: tcp_s=33, tcp_s6=31, redir=35 v6_redir=36 FQDN: hash_size=1024, current_query=1024 DNS_DB: response_buf_sz=131072 LICENSE: expiry=0000-00-00, expired=1, type=0 FDG_SERVER:208.91.112.220:53 FGD_CATEGORY_VERSION:8 SERVER_LDB: gid=69f2, tz=420, error_allow=0 FGD_REDIR_V4:FGD_REDIR_V6:

     

    UPDATE1: Status: WORKING

    after I set fortigate as DNS server for all users PCs

    install Fortinet_Factory cert in all users PCs

    mustapha_mubder
    mustapha_mubder
    New Member
    February 29, 2020
     

    Hello,

     

    https://docs.fortinet.com/document/fortigate/6.2.0/new-features/642344/dns-over-tls

     
    Terms & ConditionsAccessibility statement