The DNS safe search option helps avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. The FortiGate responds with content filtered by the search engine.
- Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
- Enable Enforce 'Safe search' on Google, Bing, YouTube.
- For Restrict YouTube Access, click Strict or Moderate.
- Configure the other settings as needed.
- Click OK.
config dnsfilter profile edit "demo" config ftgd-dns set options error-allow config filters edit 2 set category 2 next ... end end set log-all-domain enable set block-botnet enable set safe-search enable set youtube-restrict strict next end
From your internal network PC, use a command line tool, such as dig or nslookup, and perform a DNS query on www.bing.com. For example:
# dig www.bing.com ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.bing.com. IN A ;; ANSWER SECTION: www.bing.com. 103 IN CNAME strict.bing.com strict.bing.com. 103 IN A 220.127.116.11 ;; Received 67 B ;; Time 2019-04-05 14:34:52 PDT ;; From 172.16.95.16@53(UDP) in 196.0 ms
The DNS query for www.bing.com returns with a CNAME strict.bing.com, and an A record for the CNAME. The user's web browser then connects to this address with the same search engine UI, but any explicit content search is filtered out.
- Go to Log & Report > DNS Query.
The DNS filter log in FortiOS shows a message of DNS Safe Search enforced.