DNS safe search

The DNS safe search option helps avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. The FortiGate responds with content filtered by the search engine.


For individual search engine safe search specifications, refer to the documentation for Google, Bing, and YouTube.

To configure safe search in the GUI:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
  2. Enable Enforce 'Safe search' on Google, Bing, YouTube.
  3. For Restrict YouTube Access, click Strict or Moderate.

  4. Configure the other settings as needed.
  5. Click OK.
To configure safe search in the CLI:
config dnsfilter profile
    edit "demo"
        config ftgd-dns
            set options error-allow
            config filters
                edit 2
                    set category 2
        set log-all-domain enable
        set block-botnet enable
        set safe-search enable
        set youtube-restrict strict

Verifying the logs

From your internal network PC, use a command line tool, such as dig or nslookup, and perform a DNS query on www.bing.com. For example:

# dig www.bing.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; www.bing.com.                IN      A

www.bing.com.           103     IN      CNAME   strict.bing.com
strict.bing.com.        103     IN      A

;; Received 67 B
;; Time 2019-04-05 14:34:52 PDT
;; From in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and an A record for the CNAME. The user's web browser then connects to this address with the same search engine UI, but any explicit content search is filtered out.

To check the DNS filter log in the GUI:
  1. Go to Log & Report > DNS Query.

    The DNS filter log in FortiOS shows a message of DNS Safe Search enforced.