Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

DeepKuma2
Contributor

Created on ‎02-27-2018 04:00 AM

How to block bypass DNS settings

Dear All, 

I have a question that I configured an Internet policy in the FortiGate firewall with allowing all services. I want to block DNS bypass. Is it possible to block only DNS service? I happy to make different policy for my DNS server but don't want to make another policy for my client systems. 

 

Regards,

Deepak Kumar

Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai
Labels:
1387
0 Kudos
5 REPLIES 5
MichaelBazy
New Contributor III

Created on ‎02-28-2018 11:18 AM

I'd create a rule just above the previous one to block dns traffic . Did you try that?

1383
0 Kudos
DeepKuma2
Contributor

Created on ‎03-04-2018 09:54 PM

Thanks, I can do it but is it possible the In the single Policy I will allow all services except the DNS?

 

Regards,

Deepak Kumar

Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai
1383
0 Kudos
MichaelBazy
New Contributor III
In response to DeepKuma2

Created on ‎03-04-2018 10:05 PM

I don't think you can negate a service in a policy. Technically you "could" try to specify all services but UDP/53, but the policy would look massive in the number of objects. Also don't forget any services!

I don't get what's wrong with another policy, denying UDP/53?

I can think of another option though : app control profile to block DNS traffic in your "one" policy (and allowing the rest of the applications).

Regards,

Michael

________________________________
From: Deepak Kumar, Network Admin via Firewall:
Sent: Monday, March 5, 2018 8:53:50 AM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: How to block bypass DNS settings


Thanks, I can do it but is it possible the In the single Policy I will allow all services except the DNS?



Regards,

Deepak Kumar

-----End Original Message-----
1383
0 Kudos
DeepKuma2
Contributor
In response to MichaelBazy

Created on ‎03-04-2018 10:12 PM

Hi, 

there is no reason to avoid to configure any deny policy but it is for basic Idea.

Regards,

Deepak Kumar

Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai
1383
0 Kudos
DrWolfgangBeneicke1
New Contributor III
In response to DeepKuma2

Created on ‎03-07-2018 11:27 PM

IMHO an explicit DENY policy is not only effective but openly documents your intention, namely that only the internal DNS is to be used. Besides, if you enable logging you could pinpoint the hosts which still are not using the (DHCP supplied) internal DNS.

Transparency is one of the foundations of security.

1383
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.