DNS safe search

DNS safe search

Enable DNS Filter safe search so that FortiGate responds with the search engine’s children and school safe domain or IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.

This feature currently supports Google, Bing, and YouTube.

To configure DNS Filter Safe Search on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Enforce ‘Safe search’ on Google, Bing, YouTube.
  3. For Restrict YouTube Access, select Strict or Moderate.

To configure DNS Filter Safe Search on CLI:

config dnsfilter profile edit “demo” config ftgd-dns set options error-allow config filters edit 2 set category 2

next

end

end set log-all-domain enable set block-botnet enable

set safe-search enable <<<==== DNS Filter Safe Search option

next

end

Sample

To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query on www.bing.com. For example:

# dig www.bing.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.bing.com.

;; ANSWER SECTION:

   IN  A  
www.bing.com. 103 IN  CNAME strict.bing.com. <<<====
strict.bing.com.  103 IN  A 204.79.197.220

;; Received 67 B

;; Time 2019-04-05 14:34:52 PDT

;; From 172.16.95.16@53(UDP) in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user’s web browser then connects to this address with the same search engine UI but any explicit content search is filtered out. Check the DNS Filter log for the message DNS Safe Search enforced.

To check the DNS Filter Safe Search log in the CLI:

1: date=2019-04-05 time=14:34:53 logid=”1501054804″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554500093 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”204.79.197.220″ msg=”DNS Safe Search enforced” action=”pass” sscname=”strict.bing.com” cat=41 catdesc=”Search Engines and Portals”

2: date=2019-04-05 time=14:34:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554500092 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN”

Additional information

For each search engine’s safe search specifications, see its specification page:

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.