Local domain filter

Local domain filter

In addition to FortiGuard’s category-based domain filter, you can also can define your own local static domain filter to allow or block specific domains.

To configure DNS local domain filter on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. In the Static Domain Filter section, enable Domain Filter.
  3. Click Create New to create your local domain filter entries.

To configure DNS local domain filter on CLI:

config dnsfilter domain-filter edit 1 set name “demo” set comment ” config entries edit 1 set domain “www.fortinet.com”

set type simple set action allow set status enable

next edit 2 set domain “*.example.com” set type wildcard set action block set status enable

next edit 3 set domain “google” set type regex set action monitor set status enable

next

end

next

end

To check the DNS local domain filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query log.

Since the local domain list “google” action is Monitor, it’s blocked by FortiGuard category-based domain filter.

To check the DNS local domain filter log in the CLI:

7: date=2019-04-05 time=15:37:06 logid=”1501054803″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”208.91.112.55″ msg=”Domain belongs to a denied category in policy” action=”redirect” cat=41 catdesc=”Search Engines and Portals”

8: date=2019-04-05 time=15:37:06 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN”

9: date=2019-04-05 time=15:36:59 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=1 domainfilterlist=”demo”

10: date=2019-04-05 time=15:36:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

11: date=2019-04-05 time=15:36:51 logid=”1501054401″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”13.56.55.78, 54.183.57.55″ msg=”Domain was allowed because it is in the domain-filter list” action=”pass” domainfilteridx=1 domainfilterlist=”demo”

12: date=2019-04-05 time=15:36:51 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN”

Sequence and priority

In DNS Filter, local domain filter has a higher priority than FortiGuard category-based domain filter.

A DNS query is scanned and matched with local domain filter first. If an entry matches and the local filter entry’s action is block, then that DNS query is blocked or redirected.

If local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, this query is blocked or redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.

The local domain filter action can be Block, Allow, or Monitor. If the local domain filter action is Allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to client DNS resolver. If the local domain filter action is Monitor and an entry matches, it will go to FortiGuard category-based domain filter scanning and matching.

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.