Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
johnathan
Staff
Staff

Created on ‎01-08-2025 08:17 AM Edited on ‎01-08-2025 08:44 AM By Moderator

Article Id 368822

Technical Tip: Behavior of the FortiGate configured as a DNS server when different DNS filters are applied on different interfaces

Description This article describes the exact behavior of the FortiGate configured as a DNS server when different DNS filters are applied and a client tries to query an interface they are not on.
Scope FortiOS.
Solution

The FortiGate is set up as a DNS server, and is listening in on 'port9' and 'port10'.

 

ports.PNG

 

'port10' has a DNS filter configured to block all queries, but the DNS filter on 'port9' lets all queries through.

 

dns server.PNG

 

The 'default' filter:

 

default.PNG

 

'block-ALL' filter: 

 

block all.PNG

When doing an nslookup from a PC behind 'port10', the DNS filter for 'port10' will be applied no matter which IP on the FortiGate it tried to query. 

 

nslookup fail.PNG
nslookup fail2.PNG

 

It is also possible to see that in a 'dnsproxy' debug, the 'block-ALL' filter is being applied:

 

dns block.PNG 
130
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.