FortiGuard category-based DNS domain filtering

FortiGuard category-based DNS domain filtering

You can use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes use of FortiGuard’s continually updated domain rating database for more reliable protection.

To configure FortiGuard category-based DNS Domain Filter by GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable FortiGuard Category Based Filter.
  3. Select the category and then select Allow, Monitor, or Block for that category.
  4. If you select Block, there are two options:
  • Redirect Portal IP. If the DNS query domain will be blocked, FortiGate will use portal IP to replace the resolved IP in DNS response packet. You can use the default portal IP 208.91.112.55 or click Specify to enter another portal IP.
  • Block. Blocked DNS query has no response return and the DNS query client will time out.

To configure FortiGuard category-based DNS Domain Filter by CLI:

config dnsfilter profile

edit “demo”

set comment ”

config domain-filter

unset domain-filter-table

end

config ftgd-dns

set options error-allow

config filters <<<==== FortiGuard Category Based Filter edit 2 set category 2 set action monitor

next edit 7 set category 7 set action monitor next

edit 22 set category 0 set action monitor

next

end

end

set log-all-domain enable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect/block <<<==== You can specify Block or Redirect

set block-botnet enable

set safe-search enable

set redirect-portal 93.184.216.34 <<<==== Specify Redirect portal-IP.

set redirect-portal6 ::

set youtube-restrict strict

next end

Sample

To see an example of how this works, from your internal network PC, use a command line tool such as dig or nslookup to do DNS query for some domains, for example:

#dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61252

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 13; ADDITIONAL: 11

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com.

;; AUTHORITY SECTION:

 17164 IN  A 93.184.216.34
com.  20027 IN  NS  h.gtld-servers.net.
com.  20027 IN  NS  i.gtld-servers.net.
com.  20027 IN  NS  f.gtld-servers.net.
com.  20027 IN  NS  d.gtld-servers.net.
com.  20027 IN  NS  j.gtld-servers.net.
com.  20027 IN  NS  l.gtld-servers.net.
com.  20027 IN  NS  e.gtld-servers.net.
com.  20027 IN  NS  a.gtld-servers.net.
com.  20027 IN  NS  k.gtld-servers.net.
com.  20027 IN  NS  g.gtld-servers.net.
com.  20027 IN  NS  m.gtld-servers.net.
com.  20027 IN  NS  c.gtld-servers.net.
com.

;; ADDITIONAL SECTION:

 20027 IN  NS  b.gtld-servers.net.
a.gtld-servers.net. 21999 IN  A 192.5.6.30
a.gtld-servers.net. 21999 IN  AAAA  2001:503:a83e::2:30
b.gtld-servers.net. 21997 IN  A 192.33.14.30
b.gtld-servers.net. 21997 IN  AAAA  2001:503:231d::2:30
c.gtld-servers.net. 21987 IN  A 192.26.92.30
c.gtld-servers.net. 20929 IN  AAAA  2001:503:83eb::30
d.gtld-servers.net. 3340  IN  A 192.31.80.30
d.gtld-servers.net. 3340  IN  AAAA  2001:500:856e::30
e.gtld-servers.net. 19334 IN  A 192.12.94.30
e.gtld-servers.net. 19334 IN  AAAA  2001:502:1ca1::30
f.gtld-servers.net.

;; Received 509 B

3340  IN  A 192.35.51.30
;; Time 2019-04-05 09:39:33 PDT
;; From 172.16.95.16@53(UDP) in 3.8 ms

To check the DNS filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the FortiGuard rating for this domain name.

To check the DNS log in the CLI:

#execute log filter category utm-dns

# execute log display 2 logs found.

2 logs returned.

1: date=2019-04-05 time=09:39:34 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=52 catdesc=”Information Technology”

2: date=2019-04-05 time=09:39:34 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.