Technical Tip: Avoid DNS resolution for sites blocked in FortiProxy
| Description | This article describes how to create block lists in FortiProxy without triggering DNS resolution of the forbidden sites. |
| Scope | FortiProxy. |
| Solution | A common practice when implementing a WebFiltering FortiProxy is using the same address type (FQDNs) as in FortiGate firewall rules for the black list.
This has the sometimes unintended effect of FortiProxy resolving periodically the FQDNs in the black list. If FortiProxy is used on a secure environment where the DNS resolution is also controlled/monitored by the security team, they can receive alerts about forbidden sites resolutions coming from FPX.
This could trigger false positives about forbidden activity or be interpreted as FPX users trying to browse to blocked sites.
The behavior of the FQDN address type is to resolve the value to get the corresponding IP addresses. For example: This entry is not resolved because it contains a wildcard ('*'):
As stated in Technical Tip: Using a wildcard FQDN: when the wildcard FQDN has been configured, it will show as an unresolved FQDN in the 'Addresses' section under the 'Policy & Objects' menu. Differently to a standard FQDN, the wildcard FQDN is updated when a DNS query is made by the FortiProxy itself or on behalf of a host using the FortiProxy.
This one is resolved, and is not a wildcard.
# edit "badsite.example"
In order to avoid DNS resolution, use the 'Host Regex' address type instead of FQDN:
|