Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManishKhatri
Staff
Staff

Created on ‎07-31-2025 02:50 AM Edited on ‎08-01-2025 02:06 AM By Community Manager

Article Id 404179

Technical Tip: New Feature support for DNS filtering of HTTPS (type 65) queries

Description This article describes the introduction of DNS filtering support for the new DNS query type HTTPS (type 65), starting with v7.2.11, v7.4.8, and v7.6.1.
Scope FortiGate.
Solution

In certain scenarios, users may observe that DNS filtering does not effectively block access to websites that should fall under restricted categories. This behavior typically occurs when a browser issues both standard A-type DNS queries and newer HTTPS DNS (qtype 65) queries during the resolution process.

 

For example, when a user attempts to access a website in a browser, the following sequence may occur:

  1. The browser simultaneously sends out traditional A-type DNS queries and DNS-over-HTTPS (DoH) queries for the domain.
  2. The A-type query returns an IP address that is correctly identified by DNS filtering and subsequently blocked according to policy.
  3. However, the HTTPS DNS query may return a CNAME record pointing to a different domain commonly hosted on a content delivery network (CDN) or cloud service.
  4. The client then resolves this new CNAME target using both HTTPS and A-type queries.
  5. The A-type response for the CNAME target returns a new IP address, which the client uses to complete the connection.
  6. If the CNAME target is categorized as a neutral domain (e.g., "Content Servers"), DNS filtering allows the request, and access to the originally blocked site proceeds indirectly.

 

This behavior occurs because, in older FortiOS versions, DNS filtering does not inspect or categorize DNS queries of type HTTPS (qtype 65). These queries bypass filtering entirely, even if the resolved domains ultimately serve restricted content.

 

Enhancement in DNS Filtering Support:

Starting with v7.2.11, v7.4.8, and v7.6.1, FortiGate introduces support for DNS filtering of HTTPS (type 65) queries, enabling accurate categorization and enforcement for domains resolved through this newer query type.

 

FortiGuard will now be able to enforce policies against domains resolved through all supported DNS query types, closing the gap introduced by modern browsers and DNS resolver behavior.

 

To benefit from these enhancements, upgrade the FortiGate to one of the following firmware versions or later:

  • v7.2.11.
  • v7.4.8.
  • v7.6.1.

 

Related article:

Technical Tip: DNS Filter logs with "Query Type: Unknown - Query Type Value: 65"
511
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.