FortiOS 6.0 Security: DNS Filtering

Following the results section, you will find instructions for changing the FortiDNS server that your FortiGate will use to verify domains, as well as troubleshooting information.

PREP 5 mins      COOK 15 min      TOTAL 20 mins

1. Feature visibility

If DNS Filter is not listed under Security Profiles, go to System > Feature Visibility, and enable DNS Filter under Security Features.

2. Creating a DNS web filter profile

Go to Security Profiles > DNS Filter, and edit the default profile.

Enable FortiGuard category based filter, right-click Bandwidth Consuming, and set it to Block.

3. Enabling DNS filtering in a security policy

All traffic that matches this policy will be redirected to the FortiDNS server.

Go to Policy & Objects > IPv4 Policy, and edit the outgoing policy that allows Internet access.

Under Security Profiles, enable DNS Filter and set it to default.

Proxy Options and SSL Inspection profiles are automatically enabled.

4. Results

Open a browser using a computer on the internal network and navigate to dailymotion.co.uk. The page will be blocked.

Enter the following CLI command to sniff packets with a destination URL that does not belong to the bandwidth consuming category:

diagnose sniffer packet any 'port 53' and 'host 194.153.110.160' 4

The resulting output should indicate that the IP (in this example, paris.fr) was allowed by FortiGuard:

interfaces=[any]
filters=[port 53]
2.851628 172.20.121.56.59046 -> 208.91.112.52.53: udp 43
2.916281 208.91.112.52.53 -> 172.20.121.56.59046: udp 436
3.336945 10.1.2.102.51755 -> 208.91.112.53.53: udp 37
3.338611 208.91.112.53.53 -> 10.1.2.102.51755: udp 37
5. (Optional) Changing the FortiDNS server and port

You can use the default FortiDNS server located in Sunnyvale, USA (IP address 208.91.112.220), or you can switch to the server in London, UK (IP address 80.85.69.54).

Communication between your FortiGate and the FortiDNS server uses Fortinet’s proprietary DNS communication protocol.

config system fortiguard
   set sdns-server-ip 208.91.112.220
end

The North American server should work in most cases, however you can switch to the European server to see if it improves latency.

You can also change the port used to communicate with the FortiDNS server using the following command:

config system fortiguard
   set sdns-server-port <value>
end

6. Troubleshooting

The Security Profiles > DNS Filter menu is missing

Go to System > Feature Visibility and enable DNS Filter.

You configured DNS Filtering, but it is not working

Verify that DNS Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS).

If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column. 

If the above settings are correct, verify that DNS requests are going through the policy, rather than to an internal DNS server. Also verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use the correct ports.

Communication with the FortiDNS server fails

Verify that the correct FortiDNS server is configured using the following diagnose command:

diag test application dnsproxy 3

The resulting output should indicate that communication with the correct FortiDNS server was established. For example:

FWF60D4615016384 # diag test application dnsproxy 3
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1
dns64 is disabled
dns-server:208.91.112.53:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0 ready=1 
dns-server:208.91.112.52:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1 
dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1
dns-server:80.85.69.54:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1
vfid=0, interface=wan1, ifindex=6, recursive, dns
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_s=11, v6_udp_c=16:17
DNS FD: tcp_s=24, tcp_s6=23
FQDN: hash_size=1024, current_query=1024
DNS_DB: response_buf_sz=131072
LICENSE: expiry=2016-08-15, expired=0, type=2
FDG_SERVER:208.91.112.220:53
SERVER_LDB: gid=6d61, tz=-480
FGD_REDIR:208.91.112.55

This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53 (208.91.112.220:53).

Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed.

Go to the CLI Console and enter the following:

diagnose sniffer packet any 'port 53' and 'host 195.8.215.138' 4

The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the FortiDNS server:

interfaces=[any]
filters=[port 53]
2.026733 172.20.121.56.59046 -> 208.91.112.220.53: udp 117
2.027316 172.20.121.56.59046 -> 80.85.69.54.53: udp 112
2.028480 172.20.121.56.59046 -> 208.91.112.220.53: udp 116
2.029591 172.20.121.56.59046 -> 208.91.112.220.53: udp 117

FortiGuard has the wrong categorization for a website

If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.