FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198514

FortiOS DNS filter unable to control encrypted DNS traffic

Severity : 3 - Medium

Acknowledgement : Fortinet thank John Headley from VPLS Solutions bring this issue to our attention with certain proofs.


FortiOS 6.4.x and earlier when using DNS Filter
Impact: DNS filter bypass, Operational Risk
Impact Detail:
DNS over HTTPS (DoH) and DNS over TLS (DoT) are new technologies that allow secure, encrypted DNS transactions. FortiOS DNS filter is based on the standard DNS protocol; as such, the configured DNS filter policies can be bypassed using DoH or DoT, unless the FortiOS firewall policies explicitly block DoH/DoT services.
Affected Products:

FortiOS's DNS Filter in firmware versions 6.4.x and lower only supports the standard DNS protocol

Upgrade to FortiOS 7.0.x or later. More details on the new DoH/DoT support in DNS Filter can be read here.


Prevent DNS over HTTPS and DNS over TLS remote services.

In order to do that, FortiOS administrators may block the TLS (generally TCP port 853) and HTTPS (generally TCP port 443) traffic to publicly known DoT/DoH service providers, using FortiOS firewall policies.

Note: Another strategy is using Web filter policies instead of DNS filtering to perform website or URL access control.