|
As of FortiOS 7.0, it is possible to inspect DoT and DoH using a DNS Filter.
FortiGate can inspect DoT/DoH when the firewall policy inspection mode is set to proxy-based. However, note that DoH inspection is not supported when the firewall policy inspection mode is set to flow-based.
Use the following commands when debugging DNS Filter for DoH:
diag wad debug enable category dns
diag debug app dnsproxy -1
diag debug console timestamp enable
diag debug enable
The debug output shows the following sequence:
- The WAD detects the packet as a DoH and creates a session ID of 1021. The firewall policy ID is 4, the source IP address is 10.129.4.150, and the destination IP address is 146.112.41.2.
- The WAD sends the request to the DNS Proxy. The DNS Proxy uses the DNS Filter profile 'my-dns-profile' to process the DNS query for 'www.example.com' for its A record. It then detects an entry in the domain filter 'Auto-dnsfilter-domain-filter_c34ihv' for 'www.example.com', which has an action of redirecting to the SDNS server IP.
- The DNS Proxy then sends the result back to the WAD.
Initial WAD Debug output:
[I]2024-07-24 14:15:41.892826 wad_http_check_doh_media :68 msg(0x7f43876d25e8) is DoH.
[I]2024-07-24 14:15:41.892918 wad_dns_req_msg_send_hdr :170 send unreq to dnsproxy.
msg_len=128, type=wad_clt_req, dnxproxy_local_id=0x0000, session_id=1021, flags=0, vfid=0, vrf=0, ifindex=4,
policy_id=4, proto=6, src_addr=10.129.4.150, dst_addr=146.112.41.2
DNS Proxy Debug output:
2024-07-24 07:15:41 [worker 0] dns_unix_stream_packet_read()-424: type=0 len=128 session_id=1021 flags=0 dnsproxy_local_id==0x0000
2024-07-24 07:15:41 [worker 0] handle_dns_request()-2487: vfid=0 real_vfid=0 id=0x0000 pktlen=128 qr=0 req_type=2
2024-07-24 07:15:41 [worker 0] dns_parse_message()-603
2024-07-24 07:15:41 [worker 0] dns_policy_find_by_idx()-2918: vfid=0 idx=4
2024-07-24 07:15:41 [worker 0] dns_secure_log_request()-1123: id:0x0000 pktlen=128 profile=my-dns-profile ifindex=4
2024-07-24 07:15:41 [worker 0] dns_secure_log_request()-1177: write to log: qname=www.example.com qtype=1
2024-07-24 07:15:41 [worker 0] dns_profile_do_url_rating()-1971: vfid=0 profile=my-dns-profile category=255 domain=www.example.com
2024-07-24 07:15:41 [worker 0] dns_url_table_search()-1937: search domain www.example.com in Auto-dnsfilter-domain-filter_c34ihv
2024-07-24 07:15:41 [worker 0] dns_profile_do_url_rating()-2000: found static domain filter for www.example.com (table=Auto-dnsfilter-domain-filter_c34ihv action=2)
2024-07-24 07:15:41 [worker 0] dns_profile_do_url_rating()-2082: request filter result for www.example.com (type=1 action=2)
2024-07-24 07:15:41 [worker 0] dns_secure_apply_action()-2223: action=2 category=255 log=0 error_allow=0 profile=my-dns-profile
2024-07-24 07:15:41 [worker 0] dns_secure_answer_redir()-1574
2024-07-24 07:15:41 [worker 0] dns_send_response()-1645: domain=www.example.com reslen=49
2024-07-24 07:15:41 [worker 0] dns_secure_log_response()-1254: id:0x0000 domain=www.example.com profile=my-dns-profile action=2 log=0
2024-07-24 07:15:41 [worker 0] dns_policy_find_by_idx()-2918: vfid=0 idx=4
2024-07-24 07:15:41 [worker 0] dns_secure_log_response()-1502: write to log: logid=54400 qname=www.example.com
WAD process of the DNS Proxy Response:
[I]2024-07-24 14:15:42.054724 wad_dnsproxy_conn_proc_common_hdr :626 msg_len=52 msg_type=7 session_id=1021
[I]2024-07-24 14:15:42.054755 wad_dnsproxy_conn_proc_hdr :603 msg_len=52 msg_type=7 session_id=1021
[I]2024-07-24 14:15:42.054762 wad_dnsproxy_conn_proc_tlv :384 receiving response from dnsproxy: len=52, type=7, session_id=1021, flags=1 payload_len=52
[E]2024-07-24 14:15:42.054768 wad_http_req_doh_on_dns :164 dbsproxy_local_id=0x0000.
|
