Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

dnsfilter domain-filter

Use this command to configure static domain filter lists in order to decide access for specific domains.

config dnsfilter domain-filter
    edit {id}
    # Configure DNS domain filters.
        set id {integer}   ID. range[0-4294967295]
        set name {string}   Name of table. size[35]
        set comment {string}   Optional comments. size[255]
        config entries
            edit {id}
            # DNS domain filter entries.
                set id {integer}   Id. range[0-4294967295]
                set domain {string}   Domain entries to be filtered. size[511]
                set type {simple | regex | wildcard}   DNS domain filter type.
                        simple    Simple domain string.
                        regex     Regular expression domain string.
                        wildcard  Wildcard domain string.
                set action {block | allow | monitor}   Action to take for domain filter matches.
                        block    Block DNS requests matching the domain filter.
                        allow    Allow DNS requests matching the domain filter without logging.
                        monitor  Allow DNS requests matching the domain filter with logging.
                set status {enable | disable}   Enable/disable this domain filter.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

config entries

Use this configuration method to specify the static domains, determine their filter types, and the course of action to take upon detection.

action {block | allow | monitor}

Either block (set by default), allow, or monitor when the filter matches the domain.

domain <host-name>

Domain/host name to subject to filtering. Note that this cannot be a URL, as DNS can only resolve host names.

status {enable | disable}

Enable (by default) or disable this static domain filter.

type {simple | regexp | wildcard}

Set the domain type:

  • simple: Simple domain/host name; requires an exact match (set by default).
  • regexp: Allow use of rPCRE regular expressions.
  • wildcard: Allow wildcard characters for partial matching to a domain.
Note

Wildcard entries are converted to regular expressions by FortiOS. As a result of this conversion, wildcards will match any suffix, as long as there is a word boundary following the search term.

For example:

config entries
    edit 1
        set domain "*.host"
        set type wildcard
    next
end

will match wp36.host and wp36.host.pressdns.com, but not wp36.host123.pressdnds.com.

To avoid this, use an explicit regular expression search string:

config entries
    edit 1
        set domain "^.*\\.host$"
        set type regexp
    next
end

dnsfilter domain-filter

Use this command to configure static domain filter lists in order to decide access for specific domains.

config dnsfilter domain-filter
    edit {id}
    # Configure DNS domain filters.
        set id {integer}   ID. range[0-4294967295]
        set name {string}   Name of table. size[35]
        set comment {string}   Optional comments. size[255]
        config entries
            edit {id}
            # DNS domain filter entries.
                set id {integer}   Id. range[0-4294967295]
                set domain {string}   Domain entries to be filtered. size[511]
                set type {simple | regex | wildcard}   DNS domain filter type.
                        simple    Simple domain string.
                        regex     Regular expression domain string.
                        wildcard  Wildcard domain string.
                set action {block | allow | monitor}   Action to take for domain filter matches.
                        block    Block DNS requests matching the domain filter.
                        allow    Allow DNS requests matching the domain filter without logging.
                        monitor  Allow DNS requests matching the domain filter with logging.
                set status {enable | disable}   Enable/disable this domain filter.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

config entries

Use this configuration method to specify the static domains, determine their filter types, and the course of action to take upon detection.

action {block | allow | monitor}

Either block (set by default), allow, or monitor when the filter matches the domain.

domain <host-name>

Domain/host name to subject to filtering. Note that this cannot be a URL, as DNS can only resolve host names.

status {enable | disable}

Enable (by default) or disable this static domain filter.

type {simple | regexp | wildcard}

Set the domain type:

  • simple: Simple domain/host name; requires an exact match (set by default).
  • regexp: Allow use of rPCRE regular expressions.
  • wildcard: Allow wildcard characters for partial matching to a domain.
Note

Wildcard entries are converted to regular expressions by FortiOS. As a result of this conversion, wildcards will match any suffix, as long as there is a word boundary following the search term.

For example:

config entries
    edit 1
        set domain "*.host"
        set type wildcard
    next
end

will match wp36.host and wp36.host.pressdns.com, but not wp36.host123.pressdnds.com.

To avoid this, use an explicit regular expression search string:

config entries
    edit 1
        set domain "^.*\\.host$"
        set type regexp
    next
end