Local domain filter
In addition to the FortiGuard category-based domain filter, you can define a local static domain filter to allow or block specific domains.
In a DNS filter profile, the local domain filter has a higher priority than FortiGuard category-based domain filter. DNS queries are scanned and matched first with the local domain filter. If an entry matches and the local filter action is set to block, then that DNS query is blocked and redirected.
If the local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, the query is blocked and redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.
If the local domain filter action is set to allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to the client DNS resolver. If the local domain filter action is set to monitor and an entry matches, it will go to the FortiGuard category-based domain filter for scanning and matching.
A DNS filter profile can be applied in a policy to scan DNS traffic traversing the FortiGate (see Configuring a DNS filter profile), or applied on the DNS server interface (see Applying DNS filter to FortiGate DNS server).
To configure the local domain filter in the GUI:
- Go to Security Profiles > DNS Filter and click Create New, or edit an existing profile.
- In the Static Domain Filter section, enable Domain Filter.
- Click Create New. The Create Domain Filter pane opens.
-
Enter a domain, and select a Type and Action. This example has three filters:
Domain
Type
Action
www.fortinet.com
Simple
Allow
*.example.com
Wildcard
Redirect to Block Portal
google
Reg. Expression
Monitor
- Click OK. The entry appears in the table.
- Configure the other settings as needed.
- Click OK.
To configure the local domain filter in the CLI:
config dnsfilter domain-filter edit 1 set name "demo" set comment '' config entries edit 1 set domain "www.fortinet.com" set type simple set action allow set status enable next edit 2 set domain "*.example.com" set type wildcard set action block set status enable next edit 3 set domain "google" set type regex set action monitor set status enable next end next end
Wildcard entries are converted to regular expressions by FortiOS. As a result, wildcards will match any suffix, as long as there is a word boundary following the search term. For example: config entries edit 1 set domain "*.host" set type wildcard next end will match To avoid this, use an explicit regular expression search string: config entries edit 1 set domain "^.*\\.host$" set type regexp next end |
To check the DNS filter log in the GUI:
- Go to Log & Report > Security Events.
-
Click the DNS Query card name.
Since the local domain filter for google is set to monitor, it is blocked by the FortiGuard category-based domain filter because the policy action is deny.
To check the DNS filter log in the CLI:
# execute log filter category utm-dns # execute log display ... 7: date=2019-04-05 time=15:37:06 logid="1501054803" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554503826 policyid=1 sessionid=69132 srcip=10.1.100.18 srcport=49832 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=4612 qname="www.google.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain belongs to a denied category in policy" action="redirect" cat=41 catdesc="Search Engines and Portals" 8: date=2019-04-05 time=15:37:06 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554503826 policyid=1 sessionid=69132 srcip=10.1.100.18 srcport=49832 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=4612 qname="www.google.com" qtype="A" qtypeval=1 qclass="IN" 9: date=2019-04-05 time=15:36:59 logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554503818 policyid=1 sessionid=69121 srcip=10.1.100.18 srcport=40659 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24730 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo" 10: date=2019-04-05 time=15:36:59 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554503818 policyid=1 sessionid=69121 srcip=10.1.100.18 srcport=40659 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24730 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" 11: date=2019-04-05 time=15:36:51 logid="1501054401" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="vdom1" eventtime=1554503810 policyid=1 sessionid=69118 srcip=10.1.100.18 srcport=33461 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=53801 qname="www.fortinet.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="13.56.55.78, 54.183.57.55" msg="Domain was allowed because it is in the domain-filter list" action="pass" domainfilteridx=1 domainfilterlist="demo" 12: date=2019-04-05 time=15:36:51 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554503810 policyid=1 sessionid=69118 srcip=10.1.100.18 srcport=33461 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=53801 qname="www.fortinet.com" qtype="A" qtypeval=1 qclass="IN"