DNS over HTTPS (DoH) enhances privacy by encrypting DNS queries, making them harder to intercept and analyze. While beneficial for user privacy, it can pose challenges for network administrators seeking to enforce security policies, monitor network traffic, and prevent malicious activity. This guide details how to effectively block DoH on FortiGate firewalls, covering various approaches and considerations.
Blocking DoH is more complex than simply blocking traditional DNS queries because DoH uses HTTPS, a standard protocol used for secure web communication. Attempts to block it based solely on destination ports (like port 443) are ineffective, as they would disrupt legitimate HTTPS traffic. Therefore, granular control and sophisticated techniques are necessary.
FortiGate firewalls offer several mechanisms to mitigate DoH traffic. The most effective approach often involves a combination of methods:
FortiGate's Application Control can identify and block DoH traffic based on its characteristics. This requires maintaining an up-to-date application database. While effective, it relies on FortiGuard's threat intelligence and might not catch all variations of DoH implementations.
Configuration Steps (example): Configure a security policy to block applications identified as "DNS over HTTPS" or similar. Refer to your FortiGate's documentation for specific steps, as the interface may slightly vary depending on your firmware version.
If you know the specific DoH provider being used (e.g., Cloudflare's DoH servers), you can utilize web filtering to block access to those specific domains. This is a targeted approach, but it requires continuous updates as new DoH providers emerge.
Configuration Steps (example): Create a web filtering profile that blocks the specific DoH server domains (e.g., cloudflare-dns.com). Then apply this profile to the appropriate security policies.
FortiGate's built-in DNS filtering capabilities allow for extensive control over DNS resolution. You can configure policies to block specific DNS queries or redirect them to your own DNS server. However, directly blocking DoH queries at the DNS level might not be completely effective against sophisticated clients.
Configuration Steps (example): Create a DNS filter profile that blocks or redirects specific DoH queries. Then, associate this profile with the appropriate security policies.
FortiGate's DPI engine can analyze HTTPS traffic (with appropriate policy settings) to identify and classify DoH queries even when encrypted. This approach is the most comprehensive but requires significant processing power and can impact performance. Consider its resource implications carefully.
Configuration Steps (example): Enable and configure DPI inspection for HTTPS traffic. This will require enabling the appropriate SSL decryption settings and managing the associated risks. Consult FortiGate documentation for detailed instructions.
This guide provides a general overview. Refer to your FortiGate's official documentation for detailed, version-specific instructions and best practices. Always prioritize thorough testing and careful consideration of the potential impact on your network and users.