Botnet C&C domain blocking
FortiGuard Service continually updates the botnet C&C domain list. The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.
A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).
To configure botnet C&C domain blocking in the GUI:
-
Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
-
Enable Redirect botnet C&C requests to Block Portal.
-
Optionally, click the botnet package link. The Botnet C&C Domain Definitions pane opens, which displays the latest list.
-
Configure the other settings as needed.
-
Click OK.
To configure botnet C&C domain blocking in the CLI:
config dnsfilter profile edit "demo" set comment '' config domain-filter unset domain-filter-table end config ftgd-dns set options error-allow config filters ... end end set log-all-domain enable set sdns-ftgd-err-log enable set sdns-domain-log enable set block-action block set block-botnet enable set safe-search enable set redirect-portal 208.91.112.55 set youtube-restrict strict next end
Verifying the logs
Select a botnet domain from that list. From your internal network PC, use a command line tool, such as dig or nslookup, to send a DNS query to traverse the FortiGate. For example:
#dig canind.co ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; canind.co. IN A ;; ANSWER SECTION: canind.co. 60 IN A 208.91.112.55 ;; Received 43 B ;; Time 2019-04-05 09:55:21 PDT ;; From 172.16.95.16@53(UDP) in 0.3 ms
The botnet domain query was blocked and redirected to the portal IP (208.91.112.55) .
To check the DNS filter log in the GUI:
-
Go to Log & Report > Security Events.
-
Click the DNS Query card name to view the DNS query blocked as a botnet domain.
To check the DNS filter log in the CLI:
(vdom1) # execute log filter category utm-dns (vdom1) # execute log display 2 logs found. 2 logs returned. 1: date=2019-04-04 time=16:43:59 logid="1501054601" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554421439 policyid=1 sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetdomain="canind.co" 2: date=2019-04-04 time=16:43:59 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554421439 policyid=1 sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="IN"
Botnet C&C IPDB blocking
FortiOS also maintains a botnet C&C IP address database (IPDB). If a DNS query response IP address (resolved IP address) matches an entry inside the botnet IPDB, this DNS query is blocked by the DNS filter botnet C&C.
To view the botnet IPDB list in the CLI:
(global) # diagnose sys botnet list 9000 10 9000. proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0 9001. proto=TCP ip=5.9.32.166, port=481, rule_id=4146631, name_id=7, hits=0 9002. proto=TCP ip=91.89.44.166, port=80, rule_id=48, name_id=96, hits=0 9003. proto=TCP ip=46.211.46.166, port=80, rule_id=48, name_id=96, hits=0 9004. proto=TCP ip=77.52.52.166, port=80, rule_id=48, name_id=96, hits=0 9005. proto=TCP ip=98.25.53.166, port=80, rule_id=48, name_id=96, hits=0 9006. proto=TCP ip=70.120.67.166, port=80, rule_id=48, name_id=96, hits=0 9007. proto=TCP ip=85.253.77.166, port=80, rule_id=48, name_id=96, hits=0 9008. proto=TCP ip=193.106.81.166, port=80, rule_id=48, name_id=96, hits=0 9009. proto=TCP ip=58.13.84.166, port=80, rule_id=48, name_id=96, hits=0
Select an IP address from the IPDB list and use a reverse lookup service to find its corresponding domain name. From your internal network PC, use a command line tool, such as dig or nslookup, to query this domain and verify that it is blocked by the DNS filter botnet C&C. For example:
# dig cpe-98-25-53-166.sc.res.rr.com ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35135 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; cpe-98-25-53-166.sc.res.rr.com. IN A ;; ANSWER SECTION: cpe-98-25-53-166.sc.res.rr.com. 60 IN A 208.91.112.55 ;; Received 64 B ;; Time 2019-04-05 11:06:47 PDT ;; From 172.16.95.16@53(UDP) in 0.6 ms
Since the resolved IP address matches the botnet IPDB, the query was blocked and redirected to the portal IP (208.91.112.55) .
To check the DNS filter log in the GUI:
-
Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB.
To check the DNS filter log in the CLI:
(global) # execute log filter category utm-dns (global) # execute log display 2 logs found. 2 logs returned. 1: date=2019-04-05 time=11:06:48 logid="1501054600" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554487606 policyid=1 sessionid=55232 srcip=10.1.100.18 srcport=60510 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetip=98.25.53.166 2: date=2019-04-05 time=11:06:48 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554487606 policyid=1 sessionid=55232 srcip=10.1.100.18 srcport=60510 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN"
To check botnet activity:
-
Go to Dashboard > Status and locate the Botnet Activity widget.
-
If you do not see the widget, click Add Widget, and add the Botnet Activity widget.