Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

DNS safe search

Enable DNS Filter safe search so that FortiGate responds with the search engine's children and school safe domain or IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.

This feature currently supports Google, Bing, and YouTube.

To configure DNS Filter Safe Search on GUI:
  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Enforce 'Safe search' on Google, Bing, YouTube.
  3. For Restrict YouTube Access, select Strict or Moderate.

To configure DNS Filter Safe Search on CLI:
config dnsfilter profile
    edit "demo"
        config ftgd-dns
            set options error-allow
            config filters
                edit 2
                    set category 2
                next
               ...
            end
        end
        set log-all-domain enable
        set block-botnet enable
        set safe-search enable  <<<==== DNS Filter Safe Search option
    next
end

Sample

To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query on www.bing.com. For example: 

# dig www.bing.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.bing.com.                IN      A

;; ANSWER SECTION:
www.bing.com.           103     IN      CNAME   strict.bing.com.  <<<====
strict.bing.com.        103     IN      A       204.79.197.220

;; Received 67 B
;; Time 2019-04-05 14:34:52 PDT
;; From 172.16.95.16@53(UDP) in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user's web browser then connects to this address with the same search engine UI but any explicit content search is filtered out. Check the DNS Filter log for the message DNS Safe Search enforced.

To check the DNS Filter Safe Search log in the CLI:
1: date=2019-04-05 time=14:34:53 logid="1501054804" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1554500093 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="204.79.197.220" msg="DNS Safe Search enforced" action="pass" sscname="strict.bing.com" cat=41 catdesc="Search Engines and Portals"

2: date=2019-04-05 time=14:34:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554500092 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN"

Additional information

For each search engine's safe search specifications, see its specification page:

DNS safe search

Enable DNS Filter safe search so that FortiGate responds with the search engine's children and school safe domain or IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.

This feature currently supports Google, Bing, and YouTube.

To configure DNS Filter Safe Search on GUI:
  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Enforce 'Safe search' on Google, Bing, YouTube.
  3. For Restrict YouTube Access, select Strict or Moderate.

To configure DNS Filter Safe Search on CLI:
config dnsfilter profile
    edit "demo"
        config ftgd-dns
            set options error-allow
            config filters
                edit 2
                    set category 2
                next
               ...
            end
        end
        set log-all-domain enable
        set block-botnet enable
        set safe-search enable  <<<==== DNS Filter Safe Search option
    next
end

Sample

To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query on www.bing.com. For example: 

# dig www.bing.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.bing.com.                IN      A

;; ANSWER SECTION:
www.bing.com.           103     IN      CNAME   strict.bing.com.  <<<====
strict.bing.com.        103     IN      A       204.79.197.220

;; Received 67 B
;; Time 2019-04-05 14:34:52 PDT
;; From 172.16.95.16@53(UDP) in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user's web browser then connects to this address with the same search engine UI but any explicit content search is filtered out. Check the DNS Filter log for the message DNS Safe Search enforced.

To check the DNS Filter Safe Search log in the CLI:
1: date=2019-04-05 time=14:34:53 logid="1501054804" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1554500093 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="204.79.197.220" msg="DNS Safe Search enforced" action="pass" sscname="strict.bing.com" cat=41 catdesc="Search Engines and Portals"

2: date=2019-04-05 time=14:34:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554500092 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN"

Additional information

For each search engine's safe search specifications, see its specification page: