Topic Thread

Next Generation Firewall (NGFW)

 View Only

DNS over TLS (DoT) on the Fortigate

  • 1.  DNS over TLS (DoT) on the Fortigate

     
    Posted 11-20-2019 01:06

    Manny Fernandez

    I recently wrote an article about the difference between DNS over HTTPS and DNS over TLS and the differences between the two.   Now as promised, I will show how to configure DoT.  Lets get started.

    Requirements: FortiOS 6.2x

    As stated above, you require 6.2x to configure this feature.

    2019-11-19_20-20-14.png

    Here we can see the DNS over TLS is disabled, which is the default.

    2019-11-19_20-24-06.png

    Here we can see a packet capture showing a standard DNS query.  As you see this traffic is UDP 53.

    2019-11-19_23-14-14.png

    In the screenshot above, we can see that this is set up in Enforce mode which is Strict mode.  You will need to choose the certificate you want to use from the drop down.

    2019-11-19_20-24-54.png

    With the Enable option here,  this is actually opportunistic mode.  In this mode, the client will attempt to make a TLS connection on port 853 and if it fails, it will fall back to the standard UDP 53.

    2019-11-19_20-30-50.png

    Here you can see the packet capture after turning on DoT.  Notice it is using TCP and is using port 853.

    DoH Blocking

    If you want to block DNS over HTTPS, Fortinet has a application signature for it.

    2019-11-19_22-46-10.pngCopy Link

    Share