Botnet C&C domain blocking

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Redirect botnet C&C requests to Block Portal.
  3. Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997

;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:    
;; canind.co.                   IN

;; ANSWER SECTION:

 A  
canind.co.   60    IN blocked, redirect with portal-IP.

;; Received 43 B

;; Time 2019-04-05 09:55:21 PDT

 A  208.91.112.55 <<<==== botnet domain query
;; From 172.16.95.16@53(UDP) in 0.3 ms

To check the DNS filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS filter log in the CLI:

FGT600D (vdom1) # exe log filter category utm-dns

FGT600D (vdom1) # exe log display 2 logs found.

2 logs returned.

1: date=2019-04-04 time=16:43:59 logid=”1501054601″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetdomain=”canind.co”

2: date=2019-04-04 time=16:43:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN”

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.