FortiGate and DNS over HTTPS (DoH): A Comprehensive Guide to Blocking and Management

DNS over HTTPS (DoH) offers privacy benefits by encrypting DNS queries, but it also presents challenges for network security administrators. This guide explores how to effectively manage and, if necessary, block DoH traffic on your FortiGate firewall.

Understanding DNS over HTTPS (DoH)

Traditionally, DNS queries were sent in plain text, making them vulnerable to eavesdropping and manipulation. DoH encrypts these queries using HTTPS, preventing third parties from seeing what websites a user is accessing. While this enhances privacy, it also makes it harder for network administrators to monitor and control DNS traffic, potentially hindering security measures like content filtering and malware prevention.

Why Block (or Manage) DoH on FortiGate?

Several reasons might lead you to consider blocking or managing DoH on your FortiGate:

• Maintaining Visibility: Blocking DoH ensures that all DNS traffic passes through the FortiGate, allowing for comprehensive monitoring and logging.
• Enforcing Security Policies: DoH can bypass security policies implemented at the DNS level, such as content filtering and malware blocking.
• Improving Network Performance: While less common, DoH can sometimes introduce latency issues if not properly configured.
• Compliance Requirements: Some organizations have regulatory compliance requirements that mandate visibility into all network traffic, including DNS.

Blocking DoH on FortiGate

FortiGate offers several methods to manage and block DoH traffic. The most effective approach often involves a combination of techniques:

1. DNS Filtering and Web Filtering

FortiGate's built-in DNS filtering and web filtering capabilities can be leveraged to mitigate the risks associated with DoH. By configuring appropriate policies, you can block access to known DoH resolvers. While this doesn't completely prevent DoH, it significantly reduces its effectiveness.

2. Application Control

FortiGate's Application Control feature can identify and control DoH traffic based on application signatures. You can create policies to block or restrict access to specific DoH applications or to all DoH traffic. This method requires keeping application signatures updated.

3. Deep Packet Inspection (DPI)

With DPI enabled, FortiGate can inspect the contents of encrypted traffic (though this requires additional processing power and may impact performance). This allows for more granular control over DoH traffic, even if it's encrypted.

4. Custom DNS Forwarders

Instead of blocking DoH entirely, you could steer users to a custom DNS forwarder managed by your FortiGate. This allows you to maintain control over DNS resolution while still allowing users the option of using DoH if configured through your managed DNS server.

Configuring DoH Management on FortiGate

The exact configuration steps vary depending on your FortiGate model and firmware version. Consult your FortiGate's documentation for detailed instructions. Generally, the process involves creating firewall policies that inspect and filter traffic based on the methods described above. You'll need to define specific DoH resolver addresses or use application control to identify DoH traffic.

Considerations and Best Practices

• Regular Updates: Keep your FortiGate firmware and security signatures up-to-date to ensure effective DoH management.
• Performance Impact: Deep packet inspection can impact network performance. Monitor your network carefully after implementing DoH blocking or management.
• User Experience: Blocking DoH may disrupt legitimate use cases. Consider carefully balancing security needs with user experience.
• Bypassing Mechanisms: Be aware that determined users might attempt to bypass DoH blocking mechanisms. Employ a multi-layered security approach.
• Alternative Solutions: Explore alternative solutions such as using a DNSSEC-secured DNS resolver, which balances privacy and security.

Conclusion

Managing DoH on FortiGate requires a strategic approach balancing security, performance, and user experience. By understanding the available methods and implementing appropriate policies, you can effectively control DoH traffic while maintaining a secure and efficient network.