DNS safe search
The DNS safe search option helps avoid explicit and inappropriate results in the Google, Bing, DuckDuckGo, Qwant, and YouTube search engines. The FortiGate responds with content filtered by the search engine.
For individual search engine safe search specifications, refer to the documentation for Google, Bing, DuckDuckGo, Qwant, and YouTube. |
A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).
To configure safe search in the GUI:
-
Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
-
Enable Enforce 'Safe search' on Google, Bing, YouTube (this setting also applies safe search on DuckDuckGo and Qwant).
-
For Restrict YouTube Access, click Strict or Moderate.
-
Configure the other settings as needed.
-
Click OK.
To configure safe search in the CLI:
config dnsfilter profile edit "demo" config ftgd-dns set options error-allow config filters edit 2 set category 2 next ... end end set log-all-domain enable set block-botnet enable set safe-search enable set youtube-restrict strict next end
Verifying the logs
From your internal network PC, use a command line tool, such as dig or nslookup, and perform a DNS query on www.bing.com. For example:
# dig www.bing.com ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.bing.com. IN A ;; ANSWER SECTION: www.bing.com. 103 IN CNAME strict.bing.com strict.bing.com. 103 IN A 204.79.197.220 ;; Received 67 B ;; Time 2019-04-05 14:34:52 PDT ;; From 172.16.95.16@53(UDP) in 196.0 ms
The DNS query for www.bing.com returns with a CNAME strict.bing.com, and an A record for the CNAME. The user's web browser then connects to this address with the same search engine UI, but any explicit content search is filtered out.
To check the DNS filter log in the GUI:
-
Go to Log & Report > Security Events.
-
Click the DNS Query card name.
The DNS filter log in FortiOS shows a message of DNS Safe Search enforced.
To check the DNS filter log in the CLI:
# execute log filter category utm-dns # execute log display 2 logs found. 2 logs returned. 1: date=2019-04-05 time=14:34:53 logid="1501054804" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1554500093 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="204.79.197.220" msg="DNS Safe Search enforced" action="pass" sscname="strict.bing.com" cat=41 catdesc="Search Engines and Portals" 2: date=2019-04-05 time=14:34:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554500092 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN"