Skip to main content
cskeller07
cskeller07
New Member
February 3, 2017
Solved

Web filter Vs. DNS filter

  • February 3, 2017
  • 3 replies
  • 92408 views

What is the difference?  Any pro's con's to one or the other?

 

Why would you need DNS filtering if you're already doing web filtering?

 

If you do not use the FortiGate as a DNS server does DNS filter do anything?

    Best answer by tititech

    Here a practical example :

    In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.

    with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).

    Let say for example, you want to block  seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.

     

    web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.

     

    Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?

    What will happen to your policy rules? Does it go to allow or deny everything?

     

     

     

    3 replies

    MikePruett
    MikePruett
    New Member
    February 16, 2017

    Web Filter blocks access to websites based on the URL (fqdn) etc.

     

    DNS Filter blocks access to resolving known bad sites so you can't even get to them if they are a part of a malicious network.

      tanr
      tanr
      New Member
      February 16, 2017

      Web filter gives you more granular control over subsets of different categories, and allows different types of overrides (if using proxy mode).

       

      If you are running web filtering in proxy mode you can override entire categories, or you can override a specific category for specific sites.  For example, you may want to block the "Proxy Avoidance" category, but need to allow access to the webpages that give instructions on using your companies VPN (which might count as proxy avoidance).

       

      Though both filters have proxy and flow mode versions, the flow mode versions are a bit different and have fewer controls.  Depends on your version of FortiOS you're on as well.

       

      DNS Filter:

      http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/DNS%20Filter/dns_intro.htm 

      Web Filter:

      http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/web_filter_chapter.htm

       

      tititech
      tititechAnswer
      New Member
      March 23, 2018

      Here a practical example :

      In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.

      with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).

      Let say for example, you want to block  seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.

       

      web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.

       

      Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?

      What will happen to your policy rules? Does it go to allow or deny everything?

       

       

       

        athman8
        athman8
        New Member
        May 4, 2018

        I've been tasked with implementing a solution for web filtering and web usage reporting and so I thought I'd look at something like OpenDNS Umbrella to throw in that DNS layer protection as well. I've done the demo, I've read the spec sheets, and I'm fairly satisfied with the results, especially given as our company is only 300 users dense. Price is ok.......My question is: Is there a better (and easy to implement/manage) solution for web filtering/usage reporting out there (besides Websense -- been there done that) that may or may not also cover DNS layer protection?

          andreotta
          andreotta
          New Member
          June 14, 2018

          Talking about the DNSFilter, are there separate logs to show it working? Or are logged with the webfilter logs ?

          Vanessa226
          Vanessa226
          New Member
          June 28, 2018

          DNS Filter Concepts:

          [ul]
        • With the release of FortiOS 5.4.0, users configure the Domain Name System (DNS) Filter security profile independent of the Web Filter security profile.[/ul]

          Web Filter Concepts:

          [ul]
        • Web filtering is a means of controlling the content that an Internet user is able to view. With the popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security.[/ul]
          • Syed_Uzair_Ahmed
          Syed_Uzair_Ahmed
          New Member
          January 13, 2020

          I have been using FGT2000 in my environment in explicit proxy mode. And I am unable to block malicious dns request. Is there any possibility that I can able to block and restrict malicious dns traffic on my firewall.

          Terms & ConditionsAccessibility statement