Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- DNS over HTTPS/TLS not getting blocked
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS over HTTPS/TLS not getting blocked
Was doing some log parsing and came across some traffic flows that had me scratching my head. I have a policy with DPI enabled, but I do have reputable websites with various categories and address objects exempt. I also have a application control profile applied to said policy where I explicitly block DNS over HTTPS and DNS over TLS.
The traffic in question going through that policy shows traffic to dns.google (8.8.8.8) with application of DNS over HTTPS and DNS over TLS as Allowed (again, app control profile has it set to block). My assumption is, that due to my DPI profile having pretty much all things google exempt, this is causing the traffic to pass Allowed. This seems the most logical reason, but just wanted to bounce this out there and get some thoughts if I'm on the right track or there is some other "rabbit hole" I need to go down.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Created on 08-28-2024 07:22 AM Edited on 08-28-2024 07:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Cajuntank,
if you have configured an exemption for broadly all things Google, then it is indeed very likely the reason that the traffic is allowed. If it's exempted from inspection, that means any subsequent UTM filters do not apply, and the traffic is simply passed through.
You could create another policy above it (specific to DNS and/or DNS via TLS/HTTPS), and apply deep inspection without the exemption, so DNS traffic IS inspected, but other Google-related traffic goes through your current policy and IS exempted.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I believe that the signature(DNS over HTTPS\TLS) requires "deep-inspection" to identify and perform the action.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, sorry if I wasn't clear on that. When I say DPI, I mean deep packet inspection. So yes, I have deep packet inspection certificate enabled on this policy along with the app control profile blocking DNS over HTTPS/TLS, but since the DNS over HTTPS/TLS is occurring on traffic to a exempt domain (in this instance, google's DNS) in that deep inspection certificate profile, I am thinking this might be why its passing through instead of being blocked. That is the logic I am trying to confirm or if there is something else I might need to look at. I know I can block port 853, but does not help with DNS over HTTPS and I am just wanting to confirm my logic.
Created on 08-28-2024 07:22 AM Edited on 08-28-2024 07:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Cajuntank,
if you have configured an exemption for broadly all things Google, then it is indeed very likely the reason that the traffic is allowed. If it's exempted from inspection, that means any subsequent UTM filters do not apply, and the traffic is simply passed through.
You could create another policy above it (specific to DNS and/or DNS via TLS/HTTPS), and apply deep inspection without the exemption, so DNS traffic IS inspected, but other Google-related traffic goes through your current policy and IS exempted.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really wrapping my brain around this one to do a good workflow to be honest. I have a policy that blocks DNS (port53) for my users to ensure they are forced to use my internal DNS. I can block port 853 to mitigate against DNS over TLS. So with DNS over HTTPS, while I can do a deep inspection profile with no exemptions for example, I'd still have to focus it to a destination. If I'm having to do that, in this example being 8.8.8.8, then I might as well just block port 443 access to 8.8.8.8 (and 8.8.4.4 if we are talking about just Google). I'm just not sure how to "surgically" exclude Google DNS from a deep inspection profile while allowing all other things Google due to the exhaustive nature of Google...if that makes sense.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the way I see it, I had two choices. The one you mentioned at first caused me to scratch my head some... like I was still missing something. It's not until I found that there is a Google-DNS Internet Service entry. So I can either deny or deep packet inspect on policy with that entry along with a custom deep packet profile not trusting anything... so it's either deny all or scan it and it should deny based on app control profile. Sounds like my best bet is to deny (which I've done as that seem like it would be less CPU cycles for the hardware to deal with).
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,607 -
FortiClient
1,735 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
468 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
234 -
Fortiweb
203 -
IPsec
201 -
5.0
196 -
FortiNAC
185 -
FortiGuard
138 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiAuthenticator
94 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
55 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.