Botnet C&C domain blocking
FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.
To configure botnet C&C domain blocking in the GUI:
- Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
- Enable Redirect botnet C&C requests to Block Portal.
- Click the botnet package link to see the latest botnet C&C domain list.
Sample
To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:
#dig canind.co
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
| ;; QUESTION SECTION: | ||
| ;; canind.co. IN
;; ANSWER SECTION: |
A | |
| canind.co. 60 IN blocked, redirect with portal-IP.
;; Received 43 B ;; Time 2019-04-05 09:55:21 PDT |
A | 208.91.112.55 <<<==== botnet domain query |
| ;; From 172.16.95.16@53(UDP) in 0.3 ms | ||
To check the DNS filter log in the GUI:
- Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.
To check the DNS filter log in the CLI:
FGT600D (vdom1) # exe log filter category utm-dns
FGT600D (vdom1) # exe log display 2 logs found.
2 logs returned.
1: date=2019-04-04 time=16:43:59 logid=”1501054601″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetdomain=”canind.co”
2: date=2019-04-04 time=16:43:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN”