DNS Filter

You can apply DNS category filtering to control user access to web resources. DNS filtering has the following features:

Feature		Description
FortiGuard filtering		Filters the DNS request based on the FortiGuard domain rating. This makes use of FortiGuard's continuously updated domain rating database for more reliable protection.
Botnet C&C domain blocking		Blocks the DNS request for the known botnet C&C domains. FortiGuard continually updates the botnet C&C domain list. The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.
Domain filter		Allows you to define your own domain list to block or allow. In a DNS filter profile, the local domain filter has a higher priority than FortiGuard category-based domain filter. DNS queries are scanned and matched first with the local domain filter. If an entry matches and the local filter action is set to block, then that DNS query is blocked and redirected. If the local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, the query is blocked and redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver. If the local domain filter action is set to allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to the client DNS resolver. If the local domain filter action is set to monitor and an entry matches, it will go to the FortiGuard category-based domain filter for scanning and matching.
DNS translation		Maps the resolved result to another IP address that you have defined. For example, website A has a public address of 1.2.3.4. However, when your internal network users visit this website, you want them to connect to the internal host 192.168.3.4. You can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable. For example, if you want a public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.
Options	Redirect botnet C&C requests to Block Portal	FortiGuard Service continually updates the botnet C&C domain list. The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage.
	Log all DNS queries and responses	Enable to log all domains visited (detailed DNS logging).
	Allow DNS requests when a rating error occurs	Enable to allow all domains when FortiGuard DNS servers fail, or they are unreachable from FortiSASE. When this happens, a log message is recorded in the DNS logs by default.
	Enforce 'Safe Search' on Google, Bing, YouTube	Enable to avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. To enforce safe search, you must use SSL deep inspection. See Certificate and deep inspection modes.

For individual search engine safe search specifications, refer to the documentation for Google, Bing, and YouTube.

To configure a DNS Filter profile:

1. Go to Security Profiles > Configuration.
2. Enable DNS Filter.
3. Click Customize.
4. To configure FortiGuard filtering, do the following:
   1. Enable FortiGuard Category Based Filter.
   2. Select the desired category, then select the desired action: Allow, Monitor, or Redirect Block Portal.
   3. If desired, click Manage Categories. Select the desired category, then click Edit. You can enable and configure the Threat Level for the category. You must configure a threat level for this category to appear in FortiView Threats after the DNS filter blocks it.
5. To configure domain filter, do the following:
   1. Click Create under Domain Filter.
   2. Enter a domain, and select a Type and Action.
   3. Click OK. The example has configured three domain filters:

      Domain	Type	Action
      www.fortinet.com	Simple	Allow
      *.example.com	Wildcard	Redirect to Block Portal
      google	Regular expression	Monitor

6. To configure DNS translation, do the following:
   1. Under DNS Translation, click Create.
   2. In the Original Destination field, enter the domain's original IP address. For example, if you want the DNS filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4, you would configure the original destination as 93.184.216.34.
   3. In the Translated Destination field, enter the translated destination IP address. For the example, you would enter 192.168.3.4 as the translated destination.
   4. In the Network Mask field, enter the desired network mask.
   5. Click OK. With this configuration, when an internal network user performs a DNS query for www.example.com, they do not get the original www.example.com IP address of 93.184.216.34. Instead, the DNS filter replaces it with 192.168.3.4.

7. To configure Options, do the following:

   1. To enable botnet C&C domain blocking, enable Redirect botnet C&C requests to Block Portal. If desired, you can click the botnet package link to view the latest list of botnet C&C domain definitions.
   2. If desired, enable Log all DNS queries and responses. You can view these logs in Analytics > Security > DNS Filter.
   3. If desired, enable Allow DNS requests when a rating error occurs. When FortiGuard DNS servers fail, or they are unreachable from FortiSASE, allow DNS requests from all domains and record a log message in Analytics > Security > DNS Filter.
   4. If desired, enable Enforce 'Safe Search' on Google, Bing, YouTube to avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. To enforce safe search, you must use SSL deep inspection. See Certificate and deep inspection modes.
8. Click OK.