| Description | This article describes the basic configurations for enabling DNS over HTTPS/443 (DoH) for local-out DNS queries. |
| Scope | FortiOS firmware 7.0 onwards. |
| Solution |
New option is added to DNS Profile, forcing DNS over HTTPS/443 for added security.
DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure HTTPS connection. The goal of the protocol is to increase user privacy, performance and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.
To enable DoH DNS from GUI:
1) Go to Network -> DNS. 2) Enter the primary and secondary DNS server addresses. 3) In the DNS Protocols section, enable HTTPS (TCP/443).
4) Configure the other settings as needed. 5) Select 'Apply'.
To enable DoH DNS from CLI:
# config system dns set primary 192.168.148.6 set secondary 96.45.46.46 set protocol cleartext doh end
To enable DoH on the DNS server from GUI:
1) Go to Network -> DNS Servers. 2) In the DNS Service on Interface section, edit an existing interface, or create a new one. 3) Select a Mode, and DNS Filter profile. 4) Enable DNS over HTTPS.
5) Select 'OK'.
To enable DoH on the DNS server from CLI:
# config system dns-server edit "port2" set doh enable next end
FortiGuard DNS servers (96.45.45.45 and 96.45.46.46) support DNS over TLS/HTTPS protocol.
Related document: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/42181/dns-over-tls-and-https |
