Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ericwang_FTNT
Staff
Staff

Created on ‎07-16-2019 06:33 AM Edited on ‎07-27-2024 07:13 AM By Moderator

Article Id 193862

Technical Tip: DoH/DoT traffic bypassing FortiOS DNS filter

Description

 

This article explains why Doh/DoT traffic bypasses the FortiOS DNS filter. DNS over HTTPS (DoH) and DNS over TLS (DoT) are new technologies that allow secure, encrypted DNS transactions.

FortiOS DNS filter is based on the standard DNS protocol; as such, the configured DNS filter policies can be bypassed using DoH or DoT, unless the FortiOS firewall policies explicitly block DoH/DoT services.

Scope

 

FortiOS when using DNS filter.

Solution

 

The support for DoH/DoT filtering in FortiOS currently is under evaluation.

The current solution is to prevent DNS over HTTPS and DNS over TLS remote services.

To do that, FortiOS administrators may block the TLS (generally TCP port 853) and HTTPS (generally TCP port 443) traffic to publicly known DoT/DoH service providers, using FortiOS firewall policies.

Another strategy is using Web filter policies instead of DNS filtering to perform website or URL access control.

Starting from FortiOS 7.0, FortiGate can now inspect DoT/DoH traffic:
New features or enhancements

Labels:
9147
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.