You can apply DNS category filtering to control user access to web resources. You can customize the default profile, or create your own to manage network user access and apply it to a firewall policy, or you can add it to a DNS server on a FortiGate interface. For more information about configuring DNS, see DNS.
DNS filtering has the following features:
- FortiGuard Filtering: filters the DNS request based on the FortiGuard domain rating.
- Botnet C&C domain blocking: blocks the DNS request for the known botnet C&C domains.
- External dynamic category domain filtering: allows you to define your own domain category.
- DNS safe search: enforces Google, Bing, and YouTube safe addresses for parental controls.
- Local domain filter: allows you to define your own domain list to block or allow.
- External IP block list: allows you to define an IP block list to block resolved IPs that match this list.
- DNS translation: maps the resolved result to another IP that you define.
DNS filtering connects to the FortiGuard secure DNS server over anycast by default. For more information about this configuration, see DNS over TLS.
The following sample topology is used in the topics of this section. It includes an internal network and a FortiGate that is used as a gateway device that all DNS traffic traverses.
Some features of this functionality require a subscription to FortiGuard Web Filtering.
DNS filter profiles cannot be used in security policies NGFW policy-based mode; see Profile-based NGFW vs policy-based NGFW for more information. They can be used in the DNS server; see FortiGate DNS server for more information.
The following topics provide information about DNS filters: