Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

DNS translation

DNS translation

Using this feature, you can translate a DNS resolved IP address to another IP address you specify.

For example, website A has a public address 1.2.3.4. However, when your internal network users visit this website, you want them to connect to an internal host, say, 192.168.3.4. In this case, you can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable, for example, if you want public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.

Sample configuration

This example configuration forces the DNS Filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4. So when internal network users do DNS query for www.example.com, they do not get the original www.example.com IP of 93.184.216.34. It will be replaced with 192.168.3.4.

To configure DNS translation on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter profile.
  2. Enable DNS Translation and click Create New.
  3. Enter the Original Destination (the domain’s original IP address), the Translated Destination IP address, and the Network Mask (in most cases, it’s 255.255.255.255).

To configure DNS translation on CLI:

config dnsfilter profile edit “demo” set comment ” … config dns-translation  <<<==== edit 1 set src 93.184.216.34 set dst 192.168.3.4

set netmask 255.255.255.255

next

end set redirect-portal 0.0.0.0 set redirect-portal6 ::

set youtube-restrict strict

next

end

To check DNS translation using a command line tool before DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27030

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com.

;; AUTHORITY SECTION:

 33946 IN  A 93.184.216.34
example.com.  18578 IN  NS  b.iana-servers.net.
example.com.  18578 IN  NS  a.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 10:47:26 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

To check DNS translation using a command line tool after DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62060

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com. into 192.168.3.4

;; AUTHORITY SECTION:

 32491 IN  A 192.168.3.4  <<<==== resolved IP translated
example.com.  17123 IN  NS  b.iana-servers.net.
example.com.  17123 IN  NS  a.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 11:11:41 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

How DNS translation network mask work

The following is an example of DNS translation and result.

config dns-translation edit 1

set src 93.184.216.34

set dst 1.2.3.4

set netmask 255.255.224.0 next

end

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6736

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com.

;; AUTHORITY SECTION:

 29322 IN  A 1.2.24.34
example.com.  13954 IN  NS  a.iana-servers.net.
example.com.  13954 IN  NS  b.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 12:04:30 PDT

;; From 172.16.95.16@53(UDP) in 2.0 ms

  • AND src(Orginal IP) with negative netmask (93.184.216.34 & ~255.255.224.0)

01011101.10111000.11011000.00100010 93.184.216.34 <– ip

00000000.00000000.00011111.11111111 ~255.255.224.0 <– ~netmask

——————————————————– &

00000000.00000000.00011000.00100010 0.0.24.34 <- right bits

  • AND dst(Translated IP) with netmask

00000001.00000010.00000011.00000100 1.2.3.4 <- dst

11111111.11111111.11100000.00000000 255.255.224.0 <- netmask

——————————————————– & 00000001.00000010.00000000.00000000 1.2.0.0 <- left bits

  • Final step 2 bitwise-OR 3:

00000000.00000000.00011000.00100010 0.0.24.34

00000001.00000010.00000000.00000000 1.2.0.0

——————————————————– | 00000001.00000010.00011000.00100010 1.2.24.34

Local domain filter

Local domain filter

In addition to FortiGuard’s category-based domain filter, you can also can define your own local static domain filter to allow or block specific domains.

To configure DNS local domain filter on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. In the Static Domain Filter section, enable Domain Filter.
  3. Click Create New to create your local domain filter entries.

To configure DNS local domain filter on CLI:

config dnsfilter domain-filter edit 1 set name “demo” set comment ” config entries edit 1 set domain “www.fortinet.com”

set type simple set action allow set status enable

next edit 2 set domain “*.example.com” set type wildcard set action block set status enable

next edit 3 set domain “google” set type regex set action monitor set status enable

next

end

next

end

To check the DNS local domain filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query log.

Since the local domain list “google” action is Monitor, it’s blocked by FortiGuard category-based domain filter.

To check the DNS local domain filter log in the CLI:

7: date=2019-04-05 time=15:37:06 logid=”1501054803″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”208.91.112.55″ msg=”Domain belongs to a denied category in policy” action=”redirect” cat=41 catdesc=”Search Engines and Portals”

8: date=2019-04-05 time=15:37:06 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN”

9: date=2019-04-05 time=15:36:59 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=1 domainfilterlist=”demo”

10: date=2019-04-05 time=15:36:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

11: date=2019-04-05 time=15:36:51 logid=”1501054401″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”13.56.55.78, 54.183.57.55″ msg=”Domain was allowed because it is in the domain-filter list” action=”pass” domainfilteridx=1 domainfilterlist=”demo”

12: date=2019-04-05 time=15:36:51 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN”

Sequence and priority

In DNS Filter, local domain filter has a higher priority than FortiGuard category-based domain filter.

A DNS query is scanned and matched with local domain filter first. If an entry matches and the local filter entry’s action is block, then that DNS query is blocked or redirected.

If local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, this query is blocked or redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.

The local domain filter action can be Block, Allow, or Monitor. If the local domain filter action is Allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to client DNS resolver. If the local domain filter action is Monitor and an entry matches, it will go to FortiGuard category-based domain filter scanning and matching.

DNS safe search

DNS safe search

Enable DNS Filter safe search so that FortiGate responds with the search engine’s children and school safe domain or IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.

This feature currently supports Google, Bing, and YouTube.

To configure DNS Filter Safe Search on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Enforce ‘Safe search’ on Google, Bing, YouTube.
  3. For Restrict YouTube Access, select Strict or Moderate.

To configure DNS Filter Safe Search on CLI:

config dnsfilter profile edit “demo” config ftgd-dns set options error-allow config filters edit 2 set category 2

next

end

end set log-all-domain enable set block-botnet enable

set safe-search enable <<<==== DNS Filter Safe Search option

next

end

Sample

To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query on www.bing.com. For example:

# dig www.bing.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.bing.com.

;; ANSWER SECTION:

   IN  A  
www.bing.com. 103 IN  CNAME strict.bing.com. <<<====
strict.bing.com.  103 IN  A 204.79.197.220

;; Received 67 B

;; Time 2019-04-05 14:34:52 PDT

;; From 172.16.95.16@53(UDP) in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user’s web browser then connects to this address with the same search engine UI but any explicit content search is filtered out. Check the DNS Filter log for the message DNS Safe Search enforced.

To check the DNS Filter Safe Search log in the CLI:

1: date=2019-04-05 time=14:34:53 logid=”1501054804″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554500093 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”204.79.197.220″ msg=”DNS Safe Search enforced” action=”pass” sscname=”strict.bing.com” cat=41 catdesc=”Search Engines and Portals”

2: date=2019-04-05 time=14:34:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554500092 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN”

Additional information

For each search engine’s safe search specifications, see its specification page:

External Resources for DNS filter

External Resources for DNS filter

Introduction

External Resources is a new feature introduced in FortiOS 6.0. It provides a capability to dynamically import an external blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP

Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter’s remote categories, DNS filter’s remote categories, policy address objects, or antivirus profile’s malware definitions. If external resources are updated, FortiGate objects are also updated dynamically.

External Resource is divided into four types:

l URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

Remote categories and external IP block list

The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources file is a domain name list and address type resources file is an IP address list.

When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and follows the action configured for this category in DNS Filter profile.

When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by DNS Filter.

External Resources file format

File format requirements for External Resources file:

  • The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
  • The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB characters.
  • The entry limit also follows the table size limitation defined by CMDB per model.
  • The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
  • The External Resources type as category (URL list) and domain (Domain Name list) share the category number

range 192-221 (total of 30 categories).

  • There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).

For Domain Name list (Type=domain):

  • Simple wildcard is allowed in domain name list, from example: *.test.com. l IDN (International Domain Name) is supported.

For IP Address list (Type=address):

  • IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1, 192.168.10.0/24,192.168.100.1-192.168.100.254. l An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.

Configure External Resources from CLI

You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External Resources file location and specify the resource type. DNS Filter can use domain type and address type external resources.

In the following example, configure a file “Ext-Resource-Type-as-Domain-1.txt” as type domain and it will be treated in DNS Filter as Remote Category name as “Ext-Resource-Type-as-Domain-1” and category-id 194. Configure another external resource file “Ext-Resource-Type-as-Address-1.txt” as type address, and this address object name is “ExtResource-Type-as-Address-1”:

config system external-resource edit “Ext-Resource-Type-as-Domain-1” set type domain <<<==== set category 194 <<<====

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt” set refresh-rate 1

next

edit “Ext-Resource-Type-as-Address-1″ set status enable set type address <<<==== set username ” set password set comments ”

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-

1.txt” set refresh-rate 1

next

end

In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example, Domain Name list in “Ext-Resource-Type-as-Domain-1.txt” file is treated as remote category (category-id 194). IP address list in “Ext-Resource-Type-as-Address-1.txt” file can be applied in DNS Filter as external-ip-blocklist. If DNS resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action for this remote category and enable “external-ip-block-list” in a DNS Filter profile and apply it in the policy:

config dnsfilter profile edit “default” set comment “Default dns filtering.” config ftgd-dns config filters edit 1 set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt

treated as remote category 194

set action block

next edit 2 set category 12

next edit 3 next

end

end

set block-botnet enable

set external-ip-blocklist “Ext-Resource-Type-as-Address-1” <<<==== IP address in “ExtResource-Type-as-Address-1” file. next

end

config firewall policy edit 1 set name “DNSFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set dnsfilter-profile “default” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

Configure External Resources from GUI

To configure, edit, or view the entries for external resources from GUI:

  1. Go to Global > Security Fabric > Fabric Connectors.
  2. Click Create New and in the Threat Feeds section, select Domain Name or IP Address.
  3. Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh Rate; and click OK to finish the Threat Feeds configuration.
  4. When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit page; then click View Entries to view the entry list in the external resources file.
  5. Go to VDOM > DNS Filter and open a DNS filter profile. The configured external resources displays and you can apply it in each DNS Filter Profile: remote category or external IP block lists.

Log Example

Remote categories

In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote

Category, overriding their original domain rating.

CLI Example:

1: date=2019-01-18 time=13:49:12 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=196 catdesc=”Ext-Resource-Type-as-Domain-3″

2: date=2019-01-18 time=13:49:12 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

External-IP-Block-Lists

You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP Address matches the entry in the external-ip-blocklist, this DNS query is blocked.

CLI Example:

1: date=2019-01-18 time=13:50:53 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=0 domainfilterlist=”Ext-ResourceType-as-Address-1″

2: date=2019-01-18 time=13:50:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

Botnet C&C IPDB blocking

Botnet C&C IPDB blocking

FortiGate also maintains a botnet C&C IP address database (botnet IPDB). If a DNS query response IP address

(resolved IP address) matches an entry inside the botnet IPDB, this DNS query is also blocked by DNS Filter botnet C&C blocking.

To view the botnet IPDB list in the CLI:

(global) # diag sys botnet list 9000 10

  1. proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0
  2. proto=TCP ip=5.9.32.166, port=481, rule_id=4146631, name_id=7, hits=0
  3. proto=TCP ip=91.89.44.166, port=80, rule_id=48, name_id=96, hits=0
  4. proto=TCP ip=46.211.46.166, port=80, rule_id=48, name_id=96, hits=0
  5. proto=TCP ip=77.52.52.166, port=80, rule_id=48, name_id=96, hits=0
  6. proto=TCP ip=98.25.53.166, port=80, rule_id=48, name_id=96, hits=0
  7. proto=TCP ip=70.120.67.166, port=80, rule_id=48, name_id=96, hits=0
  8. proto=TCP ip=85.253.77.166, port=80, rule_id=48, name_id=96, hits=0
  9. proto=TCP ip=193.106.81.166, port=80, rule_id=48, name_id=96, hits=0
  10. proto=TCP ip=58.13.84.166, port=80, rule_id=48, name_id=96, hits=0

To see an example of how DNS filter botnet C&C IPDB blocking works, select an IP address from the IPDB list and use Internet reverse lookup service to find its corresponding domain name. Then from your internal network PC, use a command line tool such as dig or nslookup to query this domain and see that it’s blocked by DNS Filter botnet C&C blocking. For example:

# dig cpe-98-25-53-166.sc.res.rr.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35135 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; cpe-98-25-53-166.sc.res.rr.com.            IN     A

;; ANSWER SECTION:

cpe-98-25-53-166.sc.res.rr.com. 60 IN A  208.91.112.55 <<<==== Since resolved IP address match the botnet IPDB, dns query blocked with redirect portal IP.

;; Received 64 B

;; Time 2019-04-05 11:06:47 PDT ;; From 172.16.95.16@53(UDP) in 0.6 ms

To check the DNS filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB blocking.

To check the DNS filter log in the CLI:

1: date=2019-04-05 time=11:06:48 logid=”1501054600″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msgg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetip=98.25.53.166

2: date=2019-04-05 time=11:06:48 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN”

To check botnet activity:

  1. Go to Dashboard > Status and see the Botnet Activity widget.

If you cannot find the Botnet Activity widget, click the Settings button at the bottom right, select Add Widget, and add the Botnet Activity widget.

Botnet C&C domain blocking

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Redirect botnet C&C requests to Block Portal.
  3. Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997

;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:    
;; canind.co.                   IN

;; ANSWER SECTION:

 A  
canind.co.   60    IN blocked, redirect with portal-IP.

;; Received 43 B

;; Time 2019-04-05 09:55:21 PDT

 A  208.91.112.55 <<<==== botnet domain query
;; From 172.16.95.16@53(UDP) in 0.3 ms

To check the DNS filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS filter log in the CLI:

FGT600D (vdom1) # exe log filter category utm-dns

FGT600D (vdom1) # exe log display 2 logs found.

2 logs returned.

1: date=2019-04-04 time=16:43:59 logid=”1501054601″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetdomain=”canind.co”

2: date=2019-04-04 time=16:43:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN”

FortiGuard category-based DNS domain filtering

FortiGuard category-based DNS domain filtering

You can use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes use of FortiGuard’s continually updated domain rating database for more reliable protection.

To configure FortiGuard category-based DNS Domain Filter by GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable FortiGuard Category Based Filter.
  3. Select the category and then select Allow, Monitor, or Block for that category.
  4. If you select Block, there are two options:
  • Redirect Portal IP. If the DNS query domain will be blocked, FortiGate will use portal IP to replace the resolved IP in DNS response packet. You can use the default portal IP 208.91.112.55 or click Specify to enter another portal IP.
  • Block. Blocked DNS query has no response return and the DNS query client will time out.

To configure FortiGuard category-based DNS Domain Filter by CLI:

config dnsfilter profile

edit “demo”

set comment ”

config domain-filter

unset domain-filter-table

end

config ftgd-dns

set options error-allow

config filters <<<==== FortiGuard Category Based Filter edit 2 set category 2 set action monitor

next edit 7 set category 7 set action monitor next

edit 22 set category 0 set action monitor

next

end

end

set log-all-domain enable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect/block <<<==== You can specify Block or Redirect

set block-botnet enable

set safe-search enable

set redirect-portal 93.184.216.34 <<<==== Specify Redirect portal-IP.

set redirect-portal6 ::

set youtube-restrict strict

next end

Sample

To see an example of how this works, from your internal network PC, use a command line tool such as dig or nslookup to do DNS query for some domains, for example:

#dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61252

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 13; ADDITIONAL: 11

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

  IN  A  
www.example.com.

;; AUTHORITY SECTION:

 17164 IN  A 93.184.216.34
com.  20027 IN  NS  h.gtld-servers.net.
com.  20027 IN  NS  i.gtld-servers.net.
com.  20027 IN  NS  f.gtld-servers.net.
com.  20027 IN  NS  d.gtld-servers.net.
com.  20027 IN  NS  j.gtld-servers.net.
com.  20027 IN  NS  l.gtld-servers.net.
com.  20027 IN  NS  e.gtld-servers.net.
com.  20027 IN  NS  a.gtld-servers.net.
com.  20027 IN  NS  k.gtld-servers.net.
com.  20027 IN  NS  g.gtld-servers.net.
com.  20027 IN  NS  m.gtld-servers.net.
com.  20027 IN  NS  c.gtld-servers.net.
com.

;; ADDITIONAL SECTION:

 20027 IN  NS  b.gtld-servers.net.
a.gtld-servers.net. 21999 IN  A 192.5.6.30
a.gtld-servers.net. 21999 IN  AAAA  2001:503:a83e::2:30
b.gtld-servers.net. 21997 IN  A 192.33.14.30
b.gtld-servers.net. 21997 IN  AAAA  2001:503:231d::2:30
c.gtld-servers.net. 21987 IN  A 192.26.92.30
c.gtld-servers.net. 20929 IN  AAAA  2001:503:83eb::30
d.gtld-servers.net. 3340  IN  A 192.31.80.30
d.gtld-servers.net. 3340  IN  AAAA  2001:500:856e::30
e.gtld-servers.net. 19334 IN  A 192.12.94.30
e.gtld-servers.net. 19334 IN  AAAA  2001:502:1ca1::30
f.gtld-servers.net.

;; Received 509 B

3340  IN  A 192.35.51.30
;; Time 2019-04-05 09:39:33 PDT
;; From 172.16.95.16@53(UDP) in 3.8 ms

To check the DNS filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the FortiGuard rating for this domain name.

To check the DNS log in the CLI:

#execute log filter category utm-dns

# execute log display 2 logs found.

2 logs returned.

1: date=2019-04-05 time=09:39:34 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=52 catdesc=”Information Technology”

2: date=2019-04-05 time=09:39:34 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”