Fortinet black logo

Handbook

DNS filter

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:678780
Download PDF

DNS filter

You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow or monitor access based on FortiGuard category.

Blocking DNS requests to known botnet command & control addresses

FortiGuard maintains a database containing a list of known botnet command and control (C&C) addresses. This database is updated dynamically and stored on the FortiGate and requires a valid FortiGuard AntiVirus subscription.

When you block DNS requests to known botnet C&C addresses, using IPS, DNS lookups are checked against the botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub-domains are also blocked.

To enable this feature, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.

Static Domain Filter

The DNS Static Domain Filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site.

If exempted, access to the site is allowed even if another method is used to block it.

CLI commands

  • Configure DNS domain filter lists in order to decide access for specific domains:

config dnsfilter domain-filter

edit {id}

set id {integer}

set name {string}

set comment {string}

config entries

edit {id}

set id {integer}

set domain {string}

set type {simple | regex | wildcard}

set action {block | allow | monitor}

set status {enable | disable}

next

next

end

  • Configure DNS filter profile:

config dnsfilter profile

edit "dns_profile1"

config domain-filter

set domain-filter-table <id>

set external-blocklist [addr1] [addr2] [addr3]

end

config ftgd-dns

config filters

edit 1

set category 49

set action block

set log enable

next

edit 2

set category 71

set action monitor

set log enable

next

end

set log-all-url disable

set block-action redirect

set redirect-portal 0.0.0.0

set block-botnet enable

next

end

  • Configure DNS profile in a firewall policy:

config firewall policy

edit 1

set srcintf "any"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "FTP"

set utm-status enable

set dnsfilter-profile "dns_profile1"

set profile-protocol-options "default"

set nat enable

next

end

  • Configure DNS profile in profile group:

config firewall profile-group

edit "pgrp1"

set dnsfilter-profile "dns_profile1"

set profile-protocol-options "default"

next

end

DNS profile supports safe search

Users can take advantage of pre-defined DNS filter rules to edit DNS profiles and provide safe search for Google, Bing, and YouTube.

To add safe search to a DNS profile - GUI

  1. Go to Security Profiles > DNS Filter.
  2. Edit the default filter or create a new one.
  3. Enable Enforce 'Safe Search' on Google, Bing, YouTube.
  4. Select Strict or Moderate level for Restrict YouTube Access.

To add safe search to a DNS profile - CLI

config dnsfilter profile

edit "default"

set safe-search enable

set youtube-restrict {strict | moderate} (only available if safe-search enabled)

next

end

DNS filter

You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow or monitor access based on FortiGuard category.

Blocking DNS requests to known botnet command & control addresses

FortiGuard maintains a database containing a list of known botnet command and control (C&C) addresses. This database is updated dynamically and stored on the FortiGate and requires a valid FortiGuard AntiVirus subscription.

When you block DNS requests to known botnet C&C addresses, using IPS, DNS lookups are checked against the botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub-domains are also blocked.

To enable this feature, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.

Static Domain Filter

The DNS Static Domain Filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site.

If exempted, access to the site is allowed even if another method is used to block it.

CLI commands

  • Configure DNS domain filter lists in order to decide access for specific domains:

config dnsfilter domain-filter

edit {id}

set id {integer}

set name {string}

set comment {string}

config entries

edit {id}

set id {integer}

set domain {string}

set type {simple | regex | wildcard}

set action {block | allow | monitor}

set status {enable | disable}

next

next

end

  • Configure DNS filter profile:

config dnsfilter profile

edit "dns_profile1"

config domain-filter

set domain-filter-table <id>

set external-blocklist [addr1] [addr2] [addr3]

end

config ftgd-dns

config filters

edit 1

set category 49

set action block

set log enable

next

edit 2

set category 71

set action monitor

set log enable

next

end

set log-all-url disable

set block-action redirect

set redirect-portal 0.0.0.0

set block-botnet enable

next

end

  • Configure DNS profile in a firewall policy:

config firewall policy

edit 1

set srcintf "any"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "FTP"

set utm-status enable

set dnsfilter-profile "dns_profile1"

set profile-protocol-options "default"

set nat enable

next

end

  • Configure DNS profile in profile group:

config firewall profile-group

edit "pgrp1"

set dnsfilter-profile "dns_profile1"

set profile-protocol-options "default"

next

end

DNS profile supports safe search

Users can take advantage of pre-defined DNS filter rules to edit DNS profiles and provide safe search for Google, Bing, and YouTube.

To add safe search to a DNS profile - GUI

  1. Go to Security Profiles > DNS Filter.
  2. Edit the default filter or create a new one.
  3. Enable Enforce 'Safe Search' on Google, Bing, YouTube.
  4. Select Strict or Moderate level for Restrict YouTube Access.

To add safe search to a DNS profile - CLI

config dnsfilter profile

edit "default"

set safe-search enable

set youtube-restrict {strict | moderate} (only available if safe-search enabled)

next

end