To map domain IP addresses to wildcard FQDN objects when DNS traffic is encrypted, follow these steps:

1. Create a Firewall Policy for DNS Traffic with Full SSL Inspection:

config firewall policy
    edit 0 # Zero is used to create a new entry
        set name"Allow_LAN_to_DNS_with_SSL_Inspection"
        set srcintf "plan" <----- Set the source interface (LAN network).
        set dstintf "wan" <----- Set the destination interface (WAN or the interface connected to the DNS server).
        set srcaddr "all" <----- Define the source address (LAN network range).
        set dstaddr "DNS_Server_IP" <----- Replace 'DNS_Server_IP' with the actual DNS server IP.
        set service "DoT" # <----- Refers to the Secure DNS Service.
        set action accept <----- Set the action to accept the traffic.
        set logtraffic all <-----  Enable logging for this rule (to monitor traffic for troubleshooting
        set ssl-inspection profile "Custom-Deep-Inspection" <----- Enable deep packet inspection (DPI) so FortiGate can decrypt the traffic.
    next
end

Since the session traffic will be handled by this rule, DNS queries and responses will be visible to FortiGate, allowing it to map the corresponding IP addresses.

Note:

• For this solution, the certificate configured in the 'Custom-Deep-Inspection' profile must be signed by a trusted CA. If the DNS servers do not trust FortiGate's certificate, DNS requests will fail.