Fortinet black logo

Administration Guide

DNS filter

You can apply DNS category filtering to control user access to web resources. You can customize the default profile, or create your own to manage network user access and apply it to a firewall policy, or you can add it to a DNS server on a FortiGate interface. For more information about configuring DNS, see DNS.

DNS filtering has the following features:

  • FortiGuard Filtering: filters the DNS request based on the FortiGuard domain rating.
  • Botnet C&C domain blocking: blocks the DNS request for the known botnet C&C domains.
  • External dynamic category domain filtering: allows you to define your own domain category.
  • DNS safe search: enforces Google, Bing, and YouTube safe addresses for parental controls.
  • Local domain filter: allows you to define your own domain list to block or allow.
  • External IP block list: allows you to define an IP block list to block resolved IPs that match this list.
  • DNS translation: maps the resolved result to another IP that you define.
Note

Some DNS filter features require a subscription to FortiGuard Web Filtering.

DNS filtering connects to the FortiGuard secure DNS server over anycast by default. For more information about this configuration, see DNS over TLS and HTTPS.

The IPS engine handles the DNS filter in flow mode policies and queries the FortiGuard web filter server for FortiGuard categories. In proxy mode, the DNS proxy daemon handles the DNS filter and queries the FortiGuard SDNS server for FortiGuard categories. When a DNS filter profile is enabled in config system dns-server, the DNS proxy daemon handles the traffic.

Note

DNS filter profiles cannot be used in firewall policies when the FortiGate is in NGFW policy-based mode; see NGFW policy for more information. They can be used in the DNS server; see FortiGate DNS server for more information.

Note

A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).

DNS filter behavior in proxy mode

In cases where the DNS proxy daemon handles the DNS filter (described in the preceding section) and if DNS caching is enabled (this is the default setting), then the FortiGate will respond to subsequent DNS queries using the result in the DNS cache and will not forward these queries to a real DNS server.

There are two options to disable this behavior:

  • Disable DNS caching globally.
  • Remove the DNS filter profile from the proxy mode firewall policy or from the DNS server configured on a FortiGate interface.
To disable DNS caching globally:
config system dns
    set dns-cache-limit 0
end
Note

There will be a performance impact to DNS queries since each query will not be cached, and will be forwarded to a real DNS server.

FortiGuard DNS rating service

DNS over TLS connections to the FortiGuard secure DNS server is supported. The CLI options are only available when fortiguard-anycast is enabled. DNS filtering connects to the FortiGuard secure DNS server over anycast by default.

To configure DoT to the secure DNS server in the CLI:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
    set anycast-sdns-server-ip 0.0.0.0
    set anycast-sdns-server-port 853
end

The following topics provide information about DNS filters:

You can apply DNS category filtering to control user access to web resources. You can customize the default profile, or create your own to manage network user access and apply it to a firewall policy, or you can add it to a DNS server on a FortiGate interface. For more information about configuring DNS, see DNS.

DNS filtering has the following features:

  • FortiGuard Filtering: filters the DNS request based on the FortiGuard domain rating.
  • Botnet C&C domain blocking: blocks the DNS request for the known botnet C&C domains.
  • External dynamic category domain filtering: allows you to define your own domain category.
  • DNS safe search: enforces Google, Bing, and YouTube safe addresses for parental controls.
  • Local domain filter: allows you to define your own domain list to block or allow.
  • External IP block list: allows you to define an IP block list to block resolved IPs that match this list.
  • DNS translation: maps the resolved result to another IP that you define.
Note

Some DNS filter features require a subscription to FortiGuard Web Filtering.

DNS filtering connects to the FortiGuard secure DNS server over anycast by default. For more information about this configuration, see DNS over TLS and HTTPS.

The IPS engine handles the DNS filter in flow mode policies and queries the FortiGuard web filter server for FortiGuard categories. In proxy mode, the DNS proxy daemon handles the DNS filter and queries the FortiGuard SDNS server for FortiGuard categories. When a DNS filter profile is enabled in config system dns-server, the DNS proxy daemon handles the traffic.

Note

DNS filter profiles cannot be used in firewall policies when the FortiGate is in NGFW policy-based mode; see NGFW policy for more information. They can be used in the DNS server; see FortiGate DNS server for more information.

Note

A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).

DNS filter behavior in proxy mode

In cases where the DNS proxy daemon handles the DNS filter (described in the preceding section) and if DNS caching is enabled (this is the default setting), then the FortiGate will respond to subsequent DNS queries using the result in the DNS cache and will not forward these queries to a real DNS server.

There are two options to disable this behavior:

  • Disable DNS caching globally.
  • Remove the DNS filter profile from the proxy mode firewall policy or from the DNS server configured on a FortiGate interface.
To disable DNS caching globally:
config system dns
    set dns-cache-limit 0
end
Note

There will be a performance impact to DNS queries since each query will not be cached, and will be forwarded to a real DNS server.

FortiGuard DNS rating service

DNS over TLS connections to the FortiGuard secure DNS server is supported. The CLI options are only available when fortiguard-anycast is enabled. DNS filtering connects to the FortiGuard secure DNS server over anycast by default.

To configure DoT to the secure DNS server in the CLI:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
    set anycast-sdns-server-ip 0.0.0.0
    set anycast-sdns-server-port 853
end

The following topics provide information about DNS filters: