Fortinet black logo

Administration Guide

Configuring a DNS filter profile

Configuring a DNS filter profile

A DNS filter profile contains settings that enable or disable various forms of DNS filtering, including:

  • FortiGuard filtering

  • Botnet C&C domain blocking

  • DNS safe search

  • External dynamic category domain filtering

  • Local domain filter

  • External IP block list

  • DNS translation

Once a DNS filter is configured, it can be applied to a firewall policy, or on a FortiGate DNS server if one is configured. In the following basic example, a DNS filter is created and applied to a firewall policy to scan DNS queries that pass through the FortiGate.

To configure a DNS filter profile in the GUI:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
  2. Configure the settings as needed.

    Name

    Enter a unique name for the profile.

    Comments

    Enter a comment (optional).

    Redirect botnet C&C requests to Block Portal

    Enable to block botnet website access at the DNS name resolution stage. See Botnet C&C domain blocking for more details.

    Enforce 'Safe Search' on Google, Bing, YouTube

    Enable to avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. See DNS safe search for more details.

    Restrict YouTube Access

    When Enforce 'Safe Search' on Google, Bing, YouTube is enabled, select either Strict or Moderate to restrict YouTube access by responding to DNS resolutions with CNAME restrict.youtube.com and restrictmoderate.youtube.com respectively.

    FortiGuard Category Based Filter

    Enable to use the FortiGuard domain rating database to inspect DNS traffic. A FortiGuard Web Filter license is required to use this option.

    Expand the category groups in the table to view and edit the FortiGuard category settings to Allow, Monitor, or Redirect to Block Portal. See FortiGuard category-based DNS domain filtering for more details.

    Static Domain Filter

    This section includes options related to the static domain filter.

    Domain Filter

    Enable to define local static domain filters to allow or block specific domains. The local domain filter has a higher priority than the FortiGuard category-based domain filter.

    Click Create New in the table to add a domain filter and configure the following settings.

    • Domain: enter a domain.
    • Type: select Simple, Reg. Expression, or Wildcard.
    • Action: select Redirect to Block Portal, Allow, or Monitor.
    • Status: select Enable or Disable.

    See Local domain filter for more details.

    External IP Block Lists

    Enable to add one or more external IP block lists. See IP address threat feed for more details.

    DNS Translation

    Enable to translate a DNS resolved IP address to another IP address specified on a per-policy basis.

    Click Create New in the table to add a DNS translation and configure the following settings.

    • Type: select IPv4 or IPv6.
    • Original Destination: enter the address of a host or subnet that you want translated. When a resolved address in a DNS response matches this destination, the FortiGate will replace the address with the address in Translated Destination.
    • Translated Destination: enter the address of a host or subnet that you want the resolved address to be translated to.
    • Network Mask: enter the netmask for the original and translated destination. If a single host is used for the original and translated destination, set the netmask to 255.255.255.255.
    • Status: select Enable or Disable.

    Enabling DNS translation will override matching DNS responses with translated IPs. See DNS translation for more details.

    Options

    This section includes other options related to the DNS filter.

    Redirect Portal IP

    Set the IP address of the SDNS redirect portal. Select Use FortiGuard Default, or Specify and enter the IP address.

    When FortiGuard Category Based Filter categories are set to Redirect to Block Portal, the DNS response will use this IP address in its response to the client. If the client is accessing the domain on a web browser, they will be redirected to the block portal page on this address.

    Allow DNS requests when a rating error occurs

    Enable to allow all domains when FortiGuard DNS servers fail, or they are unreachable from the FortiGate. When this happens, a log message is recorded in the DNS logs by default.

    Log all DNS queries and responses

    Enable to log all domains visited (detailed DNS logging).

  3. Click OK.
To apply a DNS filter profile to a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
  2. In the Security Profiles section, enable DNS Filter and select the DNS filter.

  3. Configure the other settings as needed.
  4. Click OK.

CLI-only settings

The following DNS filter profile settings can only be configured in the CLI:

config dnsfilter profile
    edit <name>
        set block-action {block | redirect | block-servfail}
        set sdns-ftgd-err-log {enable | disable}
    next
end

block-action {block | redirect | block-servfail}

Set the action to take for blocked domains:

  • block: return NXDOMAIN for blocked domains.

  • redirect: redirect blocked domains to SDNS portal (default).

  • block-servfail: return SERVFAIL for blocked domains.

When a FortiGuard or local domain filter category is set to Redirect to Block Portal in the GUI, the action is set to block in the CLI. By default, the block-action applied to a DNS profile is set to redirect.

sdns-ftgd-err-log {enable | disable}

Enable/disable FortiGuard SDNS rating error logging (default = enable).

To configure a DNS filter profile in the CLI:
config dnsfilter profile
    edit "demo"
        set comment ''
        config domain-filter
            unset domain-filter-table
        end
        config ftgd-dns
            set options error-allow
            config filters
                edit 2
                    set category 2
                    set action monitor
                next
                edit 7
                    set category 7
                    set action block
                next
                ...
                edit 22
                    set category 0
                    set action monitor
                next
            end
        end
        set log-all-domain enable
        set sdns-ftgd-err-log enable
        set sdns-domain-log enable
        set block-action redirect
        set block-botnet enable
        set safe-search enable
        set redirect-portal 93.184.216.34
        set youtube-restrict strict
    next
end
To apply a DNS filter profile to a policy in the CLI:
config firewall policy
    edit 1
        set name "Demo"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set fsso disable
        set dnsfilter-profile "demo"
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end

Configuring a DNS filter profile

A DNS filter profile contains settings that enable or disable various forms of DNS filtering, including:

  • FortiGuard filtering

  • Botnet C&C domain blocking

  • DNS safe search

  • External dynamic category domain filtering

  • Local domain filter

  • External IP block list

  • DNS translation

Once a DNS filter is configured, it can be applied to a firewall policy, or on a FortiGate DNS server if one is configured. In the following basic example, a DNS filter is created and applied to a firewall policy to scan DNS queries that pass through the FortiGate.

To configure a DNS filter profile in the GUI:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
  2. Configure the settings as needed.

    Name

    Enter a unique name for the profile.

    Comments

    Enter a comment (optional).

    Redirect botnet C&C requests to Block Portal

    Enable to block botnet website access at the DNS name resolution stage. See Botnet C&C domain blocking for more details.

    Enforce 'Safe Search' on Google, Bing, YouTube

    Enable to avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. See DNS safe search for more details.

    Restrict YouTube Access

    When Enforce 'Safe Search' on Google, Bing, YouTube is enabled, select either Strict or Moderate to restrict YouTube access by responding to DNS resolutions with CNAME restrict.youtube.com and restrictmoderate.youtube.com respectively.

    FortiGuard Category Based Filter

    Enable to use the FortiGuard domain rating database to inspect DNS traffic. A FortiGuard Web Filter license is required to use this option.

    Expand the category groups in the table to view and edit the FortiGuard category settings to Allow, Monitor, or Redirect to Block Portal. See FortiGuard category-based DNS domain filtering for more details.

    Static Domain Filter

    This section includes options related to the static domain filter.

    Domain Filter

    Enable to define local static domain filters to allow or block specific domains. The local domain filter has a higher priority than the FortiGuard category-based domain filter.

    Click Create New in the table to add a domain filter and configure the following settings.

    • Domain: enter a domain.
    • Type: select Simple, Reg. Expression, or Wildcard.
    • Action: select Redirect to Block Portal, Allow, or Monitor.
    • Status: select Enable or Disable.

    See Local domain filter for more details.

    External IP Block Lists

    Enable to add one or more external IP block lists. See IP address threat feed for more details.

    DNS Translation

    Enable to translate a DNS resolved IP address to another IP address specified on a per-policy basis.

    Click Create New in the table to add a DNS translation and configure the following settings.

    • Type: select IPv4 or IPv6.
    • Original Destination: enter the address of a host or subnet that you want translated. When a resolved address in a DNS response matches this destination, the FortiGate will replace the address with the address in Translated Destination.
    • Translated Destination: enter the address of a host or subnet that you want the resolved address to be translated to.
    • Network Mask: enter the netmask for the original and translated destination. If a single host is used for the original and translated destination, set the netmask to 255.255.255.255.
    • Status: select Enable or Disable.

    Enabling DNS translation will override matching DNS responses with translated IPs. See DNS translation for more details.

    Options

    This section includes other options related to the DNS filter.

    Redirect Portal IP

    Set the IP address of the SDNS redirect portal. Select Use FortiGuard Default, or Specify and enter the IP address.

    When FortiGuard Category Based Filter categories are set to Redirect to Block Portal, the DNS response will use this IP address in its response to the client. If the client is accessing the domain on a web browser, they will be redirected to the block portal page on this address.

    Allow DNS requests when a rating error occurs

    Enable to allow all domains when FortiGuard DNS servers fail, or they are unreachable from the FortiGate. When this happens, a log message is recorded in the DNS logs by default.

    Log all DNS queries and responses

    Enable to log all domains visited (detailed DNS logging).

  3. Click OK.
To apply a DNS filter profile to a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
  2. In the Security Profiles section, enable DNS Filter and select the DNS filter.

  3. Configure the other settings as needed.
  4. Click OK.

CLI-only settings

The following DNS filter profile settings can only be configured in the CLI:

config dnsfilter profile
    edit <name>
        set block-action {block | redirect | block-servfail}
        set sdns-ftgd-err-log {enable | disable}
    next
end

block-action {block | redirect | block-servfail}

Set the action to take for blocked domains:

  • block: return NXDOMAIN for blocked domains.

  • redirect: redirect blocked domains to SDNS portal (default).

  • block-servfail: return SERVFAIL for blocked domains.

When a FortiGuard or local domain filter category is set to Redirect to Block Portal in the GUI, the action is set to block in the CLI. By default, the block-action applied to a DNS profile is set to redirect.

sdns-ftgd-err-log {enable | disable}

Enable/disable FortiGuard SDNS rating error logging (default = enable).

To configure a DNS filter profile in the CLI:
config dnsfilter profile
    edit "demo"
        set comment ''
        config domain-filter
            unset domain-filter-table
        end
        config ftgd-dns
            set options error-allow
            config filters
                edit 2
                    set category 2
                    set action monitor
                next
                edit 7
                    set category 7
                    set action block
                next
                ...
                edit 22
                    set category 0
                    set action monitor
                next
            end
        end
        set log-all-domain enable
        set sdns-ftgd-err-log enable
        set sdns-domain-log enable
        set block-action redirect
        set block-botnet enable
        set safe-search enable
        set redirect-portal 93.184.216.34
        set youtube-restrict strict
    next
end
To apply a DNS filter profile to a policy in the CLI:
config firewall policy
    edit 1
        set name "Demo"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set fsso disable
        set dnsfilter-profile "demo"
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end