Fortinet black logo

Administration Guide

Local domain filter

Local domain filter

In addition to the FortiGuard category-based domain filter, you can define a local static domain filter to allow or block specific domains.

In a DNS filter profile, the local domain filter has a higher priority than FortiGuard category-based domain filter. DNS queries are scanned and matched first with the local domain filter.

  • If the local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, the query is blocked and redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.

  • If the local domain filter action is set to block and an entry matches, then that DNS query is blocked and redirected.

  • If the local domain filter action is set to allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to the client DNS resolver.

  • If the local domain filter action is set to monitor and an entry matches, it will skip the FortiGuard category-based domain filter, directly return to the client DNS resolver, and log the resolution.

A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).

In this example, a DNS filter profile is configured and applied to a firewall policy running proxy-based inspection mode.

To configure the local domain filter in the GUI:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.

  2. Set Name to demo.

  3. In the Static Domain Filter section, enable Domain Filter.

  4. Click Create New. The Create Domain Filter pane opens.

  5. Enter a domain, and select a Type and Action. This example has three filters:

    Domain

    Type

    Action

    www.fortinet.com

    Simple

    Allow

    *.example.com

    Wildcard

    Redirect to Block Portal

    google

    Reg. Expression

    Monitor

  6. Click OK. The entry appears in the table.

  7. In the FortiGuard Category Based Filter table, set General Interest - Business > Search Engines and Portals to Redirect to Block Portal.

  8. Configure the remaining settings as required.

  9. Click OK.

To apply the DNS filter to a policy-mode policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

  2. Configure the Incoming Interface, Outgoing Interface, Source, Destination, and Service as required.

  3. Set Inspection Mode to Proxy-based.

  4. Enable DNS Filter and select the demo filter.

  5. Set SSL Inspection to certificate-inspection.

  6. Configure the remaining settings as required.

  7. Click OK.

To configure the local domain filter in the CLI:
config dnsfilter domain-filter
    edit 1
        set name "demo"
        set comment ''
        config entries
            edit 1
                set domain "www.fortinet.com"
                set type simple
                set action allow
                set status enable
            next
            edit 2
                set domain "*.example.com"
                set type wildcard
                set action block
                set status enable
            next
            edit 3
                set domain "google"
                set type regex
                set action monitor
                set status enable
            next
        end
        config domain-filter
            set domain-filter-table 1
        end
        config ftgd-dns
            config filters
                edit 23
                    set category 41
                    set action block
                next
            end
        end
    next
end
Note

Wildcard entries are converted to regular expressions by FortiOS. As a result, wildcards will match any suffix, as long as there is a word boundary following the search term.

For example:

config entries
    edit 1
        set domain "*.host"
        set type wildcard
    next
end

will match wp36.host and wp36.host.pressdns.com, but not wp36.host123.pressdnds.com.

To avoid this, use an explicit regular expression search string:

config entries
    edit 1
        set domain "^.*\\.host$"
        set type regexp
    next
end
To apply the DNS filter to a proxy-mode policy in the CLI:
config firewall policy
    edit 1
        set name "port3-port1"
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set dnsfilter-profile "demo"
        set logtraffic all
        set nat enable
    next
end

Testing and Verification

On a client computer, perform DNS lookup on the three domains:

Domain

DNS query result

Log

www.fortinet.com

Allowed. Resolved to correct IP.

None

www.example.com

Blocked. Redirected to IP of block page.

Deny log

www.google.com

Allowed. Resolved to correct IP.

Allow log

To check the DNS filter log in the GUI:
  1. Go to Log & Report > Security Events.

  2. Click the DNS Query card name to show the logs.

To check the DNS filter log in the CLI:
# execute log display			
71 logs found.
10 logs returned.

1: date=2022-08-17 time=18:16:50 eventtime=1660785410733825945 tz="-0700" logid="1501054401" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820031 srcip=192.168.0.10 srcport=52674 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=4352 qname="www.google.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2607:f8b0:400a:803::2004" msg="Domain was allowed because it is in the domain-filter list" action="pass" domainfilteridx=1 domainfilterlist="demo"

2: date=2022-08-17 time=18:16:50 eventtime=1660785410718697625 tz="-0700" logid="1501054401" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820030 srcip=192.168.0.10 srcport=52673 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=4096 qname="www.google.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="172.217.14.228" msg="Domain was allowed because it is in the domain-filter list" action="pass" domainfilteridx=1 domainfilterlist="demo"

3: date=2022-08-17 time=18:16:40 eventtime=1660785401007448812 tz="-0700" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820019 srcip=192.168.0.10 srcport=59950 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=3840 qname="www.example.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2620:101:9000:53::55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo"

4: date=2022-08-17 time=18:16:40 eventtime=1660785401006872790 tz="-0700" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820018 srcip=192.168.0.10 srcport=59949 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=3584 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo"

More Links

Local domain filter

In addition to the FortiGuard category-based domain filter, you can define a local static domain filter to allow or block specific domains.

In a DNS filter profile, the local domain filter has a higher priority than FortiGuard category-based domain filter. DNS queries are scanned and matched first with the local domain filter.

  • If the local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, the query is blocked and redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.

  • If the local domain filter action is set to block and an entry matches, then that DNS query is blocked and redirected.

  • If the local domain filter action is set to allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to the client DNS resolver.

  • If the local domain filter action is set to monitor and an entry matches, it will skip the FortiGuard category-based domain filter, directly return to the client DNS resolver, and log the resolution.

A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).

In this example, a DNS filter profile is configured and applied to a firewall policy running proxy-based inspection mode.

To configure the local domain filter in the GUI:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.

  2. Set Name to demo.

  3. In the Static Domain Filter section, enable Domain Filter.

  4. Click Create New. The Create Domain Filter pane opens.

  5. Enter a domain, and select a Type and Action. This example has three filters:

    Domain

    Type

    Action

    www.fortinet.com

    Simple

    Allow

    *.example.com

    Wildcard

    Redirect to Block Portal

    google

    Reg. Expression

    Monitor

  6. Click OK. The entry appears in the table.

  7. In the FortiGuard Category Based Filter table, set General Interest - Business > Search Engines and Portals to Redirect to Block Portal.

  8. Configure the remaining settings as required.

  9. Click OK.

To apply the DNS filter to a policy-mode policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

  2. Configure the Incoming Interface, Outgoing Interface, Source, Destination, and Service as required.

  3. Set Inspection Mode to Proxy-based.

  4. Enable DNS Filter and select the demo filter.

  5. Set SSL Inspection to certificate-inspection.

  6. Configure the remaining settings as required.

  7. Click OK.

To configure the local domain filter in the CLI:
config dnsfilter domain-filter
    edit 1
        set name "demo"
        set comment ''
        config entries
            edit 1
                set domain "www.fortinet.com"
                set type simple
                set action allow
                set status enable
            next
            edit 2
                set domain "*.example.com"
                set type wildcard
                set action block
                set status enable
            next
            edit 3
                set domain "google"
                set type regex
                set action monitor
                set status enable
            next
        end
        config domain-filter
            set domain-filter-table 1
        end
        config ftgd-dns
            config filters
                edit 23
                    set category 41
                    set action block
                next
            end
        end
    next
end
Note

Wildcard entries are converted to regular expressions by FortiOS. As a result, wildcards will match any suffix, as long as there is a word boundary following the search term.

For example:

config entries
    edit 1
        set domain "*.host"
        set type wildcard
    next
end

will match wp36.host and wp36.host.pressdns.com, but not wp36.host123.pressdnds.com.

To avoid this, use an explicit regular expression search string:

config entries
    edit 1
        set domain "^.*\\.host$"
        set type regexp
    next
end
To apply the DNS filter to a proxy-mode policy in the CLI:
config firewall policy
    edit 1
        set name "port3-port1"
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set dnsfilter-profile "demo"
        set logtraffic all
        set nat enable
    next
end

Testing and Verification

On a client computer, perform DNS lookup on the three domains:

Domain

DNS query result

Log

www.fortinet.com

Allowed. Resolved to correct IP.

None

www.example.com

Blocked. Redirected to IP of block page.

Deny log

www.google.com

Allowed. Resolved to correct IP.

Allow log

To check the DNS filter log in the GUI:
  1. Go to Log & Report > Security Events.

  2. Click the DNS Query card name to show the logs.

To check the DNS filter log in the CLI:
# execute log display			
71 logs found.
10 logs returned.

1: date=2022-08-17 time=18:16:50 eventtime=1660785410733825945 tz="-0700" logid="1501054401" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820031 srcip=192.168.0.10 srcport=52674 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=4352 qname="www.google.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2607:f8b0:400a:803::2004" msg="Domain was allowed because it is in the domain-filter list" action="pass" domainfilteridx=1 domainfilterlist="demo"

2: date=2022-08-17 time=18:16:50 eventtime=1660785410718697625 tz="-0700" logid="1501054401" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820030 srcip=192.168.0.10 srcport=52673 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=4096 qname="www.google.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="172.217.14.228" msg="Domain was allowed because it is in the domain-filter list" action="pass" domainfilteridx=1 domainfilterlist="demo"

3: date=2022-08-17 time=18:16:40 eventtime=1660785401007448812 tz="-0700" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820019 srcip=192.168.0.10 srcport=59950 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=3840 qname="www.example.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2620:101:9000:53::55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo"

4: date=2022-08-17 time=18:16:40 eventtime=1660785401006872790 tz="-0700" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=3 poluuid="6b80057c-1e76-51ed-c629-5fe117f24362" policytype="policy" sessionid=820018 srcip=192.168.0.10 srcport=59949 srccountry="Reserved" srcintf="port3" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="wan" proto=17 profile="demo" xid=3584 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo"