Go to System > Feature Visibility and enable DNS Filter.
Verify that DNS Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS).
If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.
If the above settings are correct, verify that DNS requests are going through the policy, rather than to an internal DNS server. Also verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use the correct ports.
Verify that the correct FortiDNS server is configured using the following diagnose command:
diag test application dnsproxy 3
The resulting output should indicate that communication with the correct FortiDNS server was established. For example:
FWF60D4615016384 # diag test application dnsproxy 3
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1
dns64 is disabled
dns-server:188.8.131.52:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0 ready=1
dns-server:184.108.40.206:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1
dns-server:220.127.116.11:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1
dns-server:18.104.22.168:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1
vfid=0, interface=wan1, ifindex=6, recursive, dns
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_s=11, v6_udp_c=16:17
DNS FD: tcp_s=24, tcp_s6=23
FQDN: hash_size=1024, current_query=1024
LICENSE: expiry=2016-08-15, expired=0, type=2
SERVER_LDB: gid=6d61, tz=-480
This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53 (22.214.171.124:53).
Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed.
Go to the CLI Console and enter the following:
diagnose sniffer packet any 'port 53' and 'host 126.96.36.199' 4
The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the FortiDNS server:
2.026733 172.20.121.56.59046 -> 188.8.131.52.53: udp 117
2.027316 172.20.121.56.59046 -> 184.108.40.206.53: udp 112
2.028480 172.20.121.56.59046 -> 220.127.116.11.53: udp 116
2.029591 172.20.121.56.59046 -> 18.104.22.168.53: udp 117
If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.