FortiGuard category-based DNS domain filtering

FortiGuard category-based DNS domain filtering

You can use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes use of FortiGuard’s continually updated domain rating database for more reliable protection.

To configure FortiGuard category-based DNS Domain Filter by GUI:

1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
2. Enable FortiGuard Category Based Filter.
3. Select the category and then select Allow, Monitor, or Block for that category.
4. If you select Block, there are two options:

• Redirect Portal IP. If the DNS query domain will be blocked, FortiGate will use portal IP to replace the resolved IP in DNS response packet. You can use the default portal IP 208.91.112.55 or click Specify to enter another portal IP.
• Block. Blocked DNS query has no response return and the DNS query client will time out.

To configure FortiGuard category-based DNS Domain Filter by CLI:

config dnsfilter profile

edit “demo”

set comment ”

config domain-filter

unset domain-filter-table

end

config ftgd-dns

set options error-allow

config filters <<<==== FortiGuard Category Based Filter edit 2 set category 2 set action monitor

next edit 7 set category 7 set action monitor next

…

edit 22 set category 0 set action monitor

next

end

end

set log-all-domain enable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect/block <<<==== You can specify Block or Redirect

set block-botnet enable

set safe-search enable

set redirect-portal 93.184.216.34 <<<==== Specify Redirect portal-IP.

set redirect-portal6 ::

set youtube-restrict strict

next end

Sample

To see an example of how this works, from your internal network PC, use a command line tool such as dig or nslookup to do DNS query for some domains, for example:

#dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61252

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 13; ADDITIONAL: 11

To check the DNS filter log in the GUI:

1. Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the FortiGuard rating for this domain name.

To check the DNS log in the CLI:

#execute log filter category utm-dns

# execute log display 2 logs found.

2 logs returned.

1: date=2019-04-05 time=09:39:34 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=52 catdesc=”Information Technology”

2: date=2019-04-05 time=09:39:34 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”