Local domain filter
In addition to the FortiGuard category-based domain filter, you can define a local static domain filter to allow or block specific domains.
In a DNS filter profile, the local domain filter has a higher priority than FortiGuard category-based domain filter. DNS queries are scanned and matched first with the local domain filter.
-
If the local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, the query is blocked and redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.
-
If the local domain filter action is set to block and an entry matches, then that DNS query is blocked and redirected.
-
If the local domain filter action is set to allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to the client DNS resolver.
-
If the local domain filter action is set to monitor and an entry matches:
-
Flow-based inspection mode policy: it will go to the FortiGuard category-based domain filter for scanning and matching.
-
Proxy-based inspection mode policy: it will skip the FortiGuard category-based domain filter, directly return to the client DNS resolver, and log the resolution.
-
A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).
In this example, a DNS filter profile is configured and applied to a firewall policy running proxy-based inspection mode.
To configure the local domain filter in the GUI:
-
Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
-
Set Name to demo.
-
In the Static Domain Filter section, enable Domain Filter.
-
Click Create New. The Create Domain Filter pane opens.
-
Enter a domain, and select a Type and Action. This example has three filters:
Domain
Type
Action
www.fortinet.com
Simple
Allow
*.example.com
Wildcard
Redirect to Block Portal
google
Reg. Expression
Monitor
-
Click OK. The entry appears in the table.
-
In the FortiGuard Category Based Filter table, set General Interest - Business > Search Engines and Portals to Redirect to Block Portal.
-
Configure the remaining settings as required.
-
Click OK.
To apply the DNS filter to a policy-mode policy in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
-
Configure the Incoming Interface, Outgoing Interface, Source, Destination, and Service as required.
-
Set Inspection Mode to Proxy-based.
-
Enable DNS Filter and select the demo filter.
-
Set SSL Inspection to certificate-inspection.
-
Configure the remaining settings as required.
-
Click OK.
To configure the local domain filter in the CLI:
config dnsfilter domain-filter edit 1 set name "demo" set comment '' config entries edit 1 set domain "www.fortinet.com" set type simple set action allow set status enable next edit 2 set domain "*.example.com" set type wildcard set action block set status enable next edit 3 set domain "google" set type regex set action monitor set status enable next end config domain-filter set domain-filter-table 1 end config ftgd-dns config filters edit 23 set category 41 set action block next end end next end
Wildcard entries are converted to regular expressions by FortiOS. As a result, wildcards will match any suffix, as long as there is a word boundary following the search term. For example: config entries edit 1 set domain "*.host" set type wildcard next end will match To avoid this, use an explicit regular expression search string: config entries edit 1 set domain "^.*\\.host$" set type regex next end |
To apply the DNS filter to a proxy-mode policy in the CLI:
config firewall policy edit 1 set name "port3-port1" set srcintf "port3" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "certificate-inspection" set dnsfilter-profile "demo" set logtraffic all set nat enable next end
For a flow-mode policy example, see Local Domain Filter. |
Testing and Verification
On a client computer, perform DNS lookup on the three domains:
Domain |
DNS query result |
Log |
---|---|---|
www.fortinet.com |
Allowed. Resolved to correct IP. |
None |
www.example.com |
Blocked. Redirected to IP of block page. |
Deny log |
www.google.com |
Allowed. Resolved to correct IP. |
Allow log |
To check the DNS filter log in the GUI:
-
Go to Log & Report > Security Events.
-
Click the DNS Query card name to show the logs.
To check the DNS filter log in the CLI:
# execute log display 71 logs found. 10 logs returned. 1: date=2022-08-17 time=18:16:50 eventtime=1660785410733825945 tz="-0700" logid="1501054401" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820031 srcip=192.168.0.10 srcport=52674 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=4352 qname="www.google.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2607:f8b0:400a:803::2004" msg="Domain was allowed because it is in the domain-filter list" action="pass" domainfilteridx=1 domainfilterlist="demo" 2: date=2022-08-17 time=18:16:50 eventtime=1660785410718697625 tz="-0700" logid="1501054401" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820030 srcip=192.168.0.10 srcport=52673 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=4096 qname="www.google.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="172.217.14.228" msg="Domain was allowed because it is in the domain-filter list" action="pass" domainfilteridx=1 domainfilterlist="demo" 3: date=2022-08-17 time=18:16:40 eventtime=1660785401007448812 tz="-0700" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820019 srcip=192.168.0.10 srcport=59950 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=3840 qname="www.example.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2620:101:9000:53::55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo" 4: date=2022-08-17 time=18:16:40 eventtime=1660785401006872790 tz="-0700" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820018 srcip=192.168.0.10 srcport=59949 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=3584 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo"