You can configure a FortiGate as a DNS server in your network. When you enable DNS service on a specific interface, the FortiGate will listen for DNS service on that interface.
Depending on the configuration, DNS service works in three modes: Recursive, Non-Recursive, or Forward to System DNS (server). For details on how to configure the FortiGate as a DNS server and configure the DNS database, see FortiGate DNS server.
You can apply a DNS filter profile to Recursive and Forward to System DNS mode. This is the same as the FortiGate working as a transparent DNS proxy for DNS relay traffic.
- Go to Network > DNS Servers (if this option is not available, go to System > Feature Visibility and enable DNS Database).
- In the DNS Service on Interface section, click Create New and select an Interface from the dropdown.
- For Mode, select Forward to System DNS.
- Enable DNS Filter and select a profile from the dropdown.
- Click OK.
config system dns-server edit "port10" set mode forward-only set dnsfilter-profile "demo" next end
In this example, port10 is enabled as a DNS service with the DNS filter profile demo. The IP address of port10 is 10.1.100.5 , and the DNS filter profile is configured to block category 52 (information technology). From your internal network PC, use a command line tool, such as dig or nslookup, to perform a DNS query. For example:
# dig @10.1.100.5 www.fortinet.com ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52809 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.fortinet.com. IN A ;; ANSWER SECTION: www.fortinet.com. 60 IN A 188.8.131.52 ;; Received 50 B ;; Time 2019-04-08 14:36:34 PDT ;; From 10.1.100.5@53(UDP) in 13.6 ms
The relay DNS traffic was filtered based on the DNS filter profile configuration. It was blocked and redirected to the portal IP (184.108.40.206).