Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
elvikola
Staff
Staff

Created on ‎10-30-2024 02:38 AM

Article Id 353514

Technical Tip: Configuring DNS Filter profiles on multiple interfaces

Description This article describes the use of FortiGate as a DNS server and DNS Filter profiles on multiple interfaces.
Scope FortiGate hardware and VM.
Solution
FortiGate can be configured as a DNS server by enabling DNS Service on specific interfaces. DNS Filter profiles can be applied in Recursive Mode and Forward to System DNS Mode. In this example DNS Service is configured to listen on the LAN interface where a DNS filter is applied and for testing purposes the domain 'example.com' is blocked. 
DNS query results are as below: 
 
nslookup example.com 10.151.6.43 (LAN)
Server:  UnKnown
Address:  10.151.6.43
 
Non-authoritative answer:
Name:    example.com
Addresses:  2620:101:9000:53::55
208.91.112.55
  
The DNS profile will filter the DNS traffic based on the profile configuration and it blocks it with the redirect portal IP (208.91.112.55).
 
The same results will be also when doing a DNS query to use the DNS configured on the WAN interface: 
 
nslookup example.com 10.109.22.43 (WAN)
Server:  UnKnown
Address:  10.109.22.43
 
Non-authoritative answer:
Name:    example.com
Addresses:  2620:101:9000:53::55
208.91.112.55
 
This is the expected behavior as the profile is applied to the original ingress, DNS requests will be received on the LAN interface and filtered by the profile attached to that interface.
To overcome this a destination interface needs to be used as a DNS Server and for this loopback interfaces are needed. In this example two loopbacks are configured, one with a DNS Filter profile and one without it.
DNS query results are as below:  
 
  • With DNS Filter profile:

nslookup example.com 172.16.16.16 (loop0)
Server:  UnKnown
Address:  172.16.16.16
 
Non-authoritative answer:
Name:    example.com
Addresses:  2620:101:9000:53::55
208.91.112.55
 
  • Without DNS Filter profile:

nslookup example.com 172.17.17.17 (loop1)
Server:  UnKnown
Address:  172.17.17.17
 
Non-authoritative answer:
Name:    example.com
Addresses:  2606:2800:21f:cb07:6820:80da:af6b:8b2c
93.184.215.14
  
For this to work also a firewall policy to allow traffic from the LAN interface toward the loopback interface is needed: 
 

config firewall policy

    edit 5

        set name "lan-to-loop0"

        set srcintf "port1"

        set dstintf "loop0"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "DNS"

    next

end

 

As seen from the result after configuring the firewall policy the second DNS query is resolved with the correct IP (93.184.215.14). 
290
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.