Skip to main content
tedew
tedew
New Member
January 8, 2025
Question

DNS Filter profile and local AD DNS Server question

  • January 8, 2025
  • 3 replies
  • 1556 views

hello,

I have a question about config left by our previous admin in our compny.

 

We have two VLANs (100 - Users and 200 - Servers)

As DNS server for users in vlan100 we have set IP of our AD Server in vlan 200, and AD Server use google DNS to resolve extrnal names.

 

On firewall we have two rule to the Interent, one for vlan100 and second for vlan200.

Both these rules have SSL Inspespection + DNS Filter profile. 

Rule for vlan100 is in FLOW-MODE, rule for vlan200 is in PROXY-MODE

 

Questions,

1. is it ok that both VLANs has DNS Filter ?? especialy is it ok that AD Server is filtered by DNS Filter when he ask google DNS Servers ?

2. Is it ok that server vlan 200 has rule as PROXY-mode 

 

Thanks

 

 

 

3 replies

pbretas
Staff
pbretas
Staff
January 8, 2025

Hello @tedew,

 

Regarding to question 1, since the DNS traffic from users VLAN is sent to the DNS server inside the servers VLAN, and the DNS servers will recursively proceed with the queries to the Internet, you can use the DNS filter only on the traffic from servers VLAN to Internet.

 

About the question 2, it's ok to use the proxy mode on the DNS, since it will allow you to use a DNS cache and have a faster DNS reply to your DNS servers (in case they're not keeping the answers in cache as well).

 

Reference - https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/605868/dns-filter#:~:text=DNS%20filter%20behavior%20in%20proxy%20mode

 

Pedro

tedew
tedewAuthor
New Member
January 8, 2025

Hello,

Thank you for info.

I asked about this config because i have issue with DNS filter.

Today i saw that lot of DNS reponds (A records) in VLAN200 to to ‘Fortinet Secure DNS service Portal( 208.91.112.55) - some MS  Google etc. pages , so I removed DNS Filter in rule for VLAN200 and services started working properly on users VLAN/Clients.
When lot of ansewers were resolved to 208.91.112.55 i also have lot of SSL Inspection errors ..

Some idea what this behavior occurred ?? 

Thanks

 

 

 

vbandha
Staff
vbandha
Staff
January 8, 2025

Hello @tedew 

The redirection occurs if DNS filter is blocking the url.

Please check the DNS filter if something configured there is blocking the sites. 

 

Also try changing policy to flow mode if there is any change there. 

 

Regards, 

Varun

tedew
tedewAuthor
New Member
January 9, 2025

Hello,

I have chacked the logs:

 

for example: for this request

autodiscover-s.outlook.com

Response was  that: page belong to category Unrated and returned IP was 208.91.112.55

 

but normaly this page is in category which is allowed.
Category: Web-based Email


Issue on ForitNET site or on DNS provider ?

vbandha
Staff
vbandha
Staff
January 11, 2025

Hello @tedew 

It seems to be fortigate blocking it. 

 

Try to create seperate policy with destination as Outlook And Microsoft ISDB and place it above main policy. 

Disable web filter on this policy. 

Or else you can try adding microsoft wildcard url in exempt list in web filter.

 

https://community.fortinet.com/t5/Support-Forum/Office-365-Autodiscover-Certificate-warning/m-p/36513

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-resolve-certificate-error-pop-up-seen-in/ta-p/264960

 

Regards,

Varun

Terms & ConditionsAccessibility statement