Fortinet white logo
Fortinet white logo

Handbook

Configuring blocklisted domains

Configuring blocklisted domains

Use Blocklisted Domains option to deny ACL large sets of DNS domains.

Note: Blocklisted Domains are always blocked, no matter the individual SPP Detection/Prevention Mode setting.

To configure:
  1. Go to Global Protection > Blocklist > Blocklisted Domains.
  2. Select the option based on the requirement:
    • Upload: Choose and upload the file with the list of blocklisted domains. The supported file formats are Text, MS-DOS, CSV MS-DOS and CSV (comma delimited).

      Note:

      • List entries must be individual Fully Qualified Domain Names (FQDNs), including the TLD (e.g. mail.fortinet.com). Wildcard Domain Names are not supported.
      • If you upload a new file, the new file replaces the older database but does not affect the individually added address from Create New below. There is no “append” function for uploaded files.
      • FortiDDoS supports a maximum of 1 million FQDNs in the uploaded list.
      • Uploads can take several minutes and there is no progress meter. Failure and success messages are displayed as appropriate.
    • Download: Save the file with the list of blocklisted domains to your system. This file includes uploaded and individually added FQDNs.
    • Clear: Clear the current FQDN list AND any individually added FQDNs from the GUI page list.
    • Create New: Add a new single blocklisted domain and click Save to include it in the existing list. FortiDDoS allows a maximum of 1024 added Domains.
    • Delete: Enter the specific domain address to remove from the existing list and click Delete.

Note:

  • Since a Domain name is present in both the Query and Response, Domain Blocklist will drop any Responses it sees containing blocklisted domains, even if FortiDDoS does not see the Query. This is useful in two circumstances:
    1. Asymmetric traffic where FortiDDoS is seeing the inbound traffic link only (does not see outbound Queries). Thus, Blocklisted Domains is effective on ISP peering and transit links to block malicious and botnet C&C Domains.
    2. Reflected Response Floods may use malicious FQDNs, in which case Domain Blocklist may see the flood before DQRM sees it.
    3. • Blocklisted Domains does not support the underscore ( _ ) character, which is “invalid” according to DNS RFCs but widely used. Files containing underscores in the FQDNs will be rejected. If required use a DNS Profile Blocklist which supports the character.

    4. • Blocklisted Domains allows FQDNs with “tlds” of less than 2 characters (abc.d) which are invalid. Make sure FQDNs have valid “tlds” (abc.tv, for example).

Configuring blocklisted domains

Configuring blocklisted domains

Use Blocklisted Domains option to deny ACL large sets of DNS domains.

Note: Blocklisted Domains are always blocked, no matter the individual SPP Detection/Prevention Mode setting.

To configure:
  1. Go to Global Protection > Blocklist > Blocklisted Domains.
  2. Select the option based on the requirement:
    • Upload: Choose and upload the file with the list of blocklisted domains. The supported file formats are Text, MS-DOS, CSV MS-DOS and CSV (comma delimited).

      Note:

      • List entries must be individual Fully Qualified Domain Names (FQDNs), including the TLD (e.g. mail.fortinet.com). Wildcard Domain Names are not supported.
      • If you upload a new file, the new file replaces the older database but does not affect the individually added address from Create New below. There is no “append” function for uploaded files.
      • FortiDDoS supports a maximum of 1 million FQDNs in the uploaded list.
      • Uploads can take several minutes and there is no progress meter. Failure and success messages are displayed as appropriate.
    • Download: Save the file with the list of blocklisted domains to your system. This file includes uploaded and individually added FQDNs.
    • Clear: Clear the current FQDN list AND any individually added FQDNs from the GUI page list.
    • Create New: Add a new single blocklisted domain and click Save to include it in the existing list. FortiDDoS allows a maximum of 1024 added Domains.
    • Delete: Enter the specific domain address to remove from the existing list and click Delete.

Note:

  • Since a Domain name is present in both the Query and Response, Domain Blocklist will drop any Responses it sees containing blocklisted domains, even if FortiDDoS does not see the Query. This is useful in two circumstances:
    1. Asymmetric traffic where FortiDDoS is seeing the inbound traffic link only (does not see outbound Queries). Thus, Blocklisted Domains is effective on ISP peering and transit links to block malicious and botnet C&C Domains.
    2. Reflected Response Floods may use malicious FQDNs, in which case Domain Blocklist may see the flood before DQRM sees it.
    3. • Blocklisted Domains does not support the underscore ( _ ) character, which is “invalid” according to DNS RFCs but widely used. Files containing underscores in the FQDNs will be rejected. If required use a DNS Profile Blocklist which supports the character.

    4. • Blocklisted Domains allows FQDNs with “tlds” of less than 2 characters (abc.d) which are invalid. Make sure FQDNs have valid “tlds” (abc.tv, for example).