Technical Tip: DNS filter blocks or redirects DNS requests but web pages continue to load.
| Description | This article describes scenarios where, after configuring the DNS filter to block DNS requests, web pages continue to load correctly despite verifying that the blocks are successful. |
| Scope | FortiGate. |
| Solution | In certain scenarios, DNS filtering can be used to block DNS queries based on FortiGuard categories or static domain definitions. How to configure and apply a DNS filter profile
However, even if the logs are checked to see if the blocking is successful, it is possible to see how the web pages associated with the blocked domains continue to load correctly. This may be due to the DoH (DNS over HTTPS) protocol, which encapsulates DNS traffic over the HTTPS protocol.
For example, after configuring a policy that regulates LAN-to-WAN traffic with a DNS filter that redirects the category 'Information Technology' to the blocking portal.
It is possible to check that the redirection to the default blocking portal (208.91.112.55) is successful, and even the blocking logs can be observed.
However, pages like www.fortinet.com load correctly.
To avoid this behavior due to DNS over HTTPS, it can be disabled in the web browser. For example, to disable DNS over HTTPS in Google Chrome, go to Settings -> Privacy and Security -> Advanced Section, find the 'Use Secure DNS' option, toggle it off, and restart the browser. With this setting, the result changes.
|
