Technical Tip: How to block the website belonging to specific country code TLD
| Description | This article explains how to block the website belonging to a specific country code TLD. |
| Scope | FortiGate. |
| Solution | Below are the steps to block web access to a specific country code in FortiGate. Access can be blocked with DNS filter UTM profiles.
DNSfilter:
From CLI:
config dnsfilter domain-filter edit 1 set name "BlockTLD" config entries edit 1 set domain *.<country code> <--- In place of <country code> put the ccTLD of the specific country. set type wildcard next end next end
config dnsfilter profile edit "BlockccTLD" config domain-filter set domain-filter-table 1 end next end
From GUI: Navigate to Security profiles -> DNS Filter, Edit or Create DNS Filter, and then navigate to Static Domain Filter -> Domain Filter: Enable.
Once enabled, 'Create New' the Domain Filter and add the Country TLD as below:
Make sure all the DNS queries of the client to the DNS server are passing via FortiGate, and the DNS profile is applied in the policy.
From CLI:
config firewall policy edit 1 set name "DNSpolicy" set srcintf "LAN" set dstintf "WAN" set action accept set srcaddr "all" set dstaddr "DNS_SERVERS" set schedule "always" set service "DNS" set utm-status enable set dnsfilter-profile "BlockccTLD" set ssl-ssh-profile "certificate-inspection" set nat enable next end
From GUI: Navigate to Policy & Objects -> Firewall Policy, then create or edit the DNS Policy to add this DNS filter.
With this configuration in place, all the DNS queries with specific ccTLDs will get blocked. |
