Description
Enable DNS Filter safe search so that FortiGate responds with the search engine's children and school safe domain or IP address.
Users might not be aware of this filter.
Explicit contents are filtered by the search engine itself.
This feature is not 100% accurate but can help to avoid explicit and inappropriate search results.
This feature currently supports Google, Bing, and YouTube.
Related documents:
DNS Safe Search - FortiGate 6.2.0 cookbook
DNS safe search - FortiGate 7.4.0 administration guide
Solution
DNS safe search.
To configure DNS Filter Safe Search from the GUI:
- Go to Security Profiles -> DNS Filter and edit or create a DNS Filter.
- Enable Enforce 'Safe search' on Google, Bing, YouTube.
- In Restrict YouTube Access, select 'Strict' or 'Moderate'.
To configure a DNS Filter Safe Search from the CLI:
config dnsfilter profile
edit "demo"
config ftgd-dns
set options error-allow
config filters
edit 2
set category 2
next
...
end
end
set log-all-domain enable
set block-botnet enable
set safe-search enable <----- DNS Filter Safe Search option.
next
end
Sample.
To see an example of how this works, enable this option.
From the internal network PC, use a command line tool such as 'dig' or 'nslookup' to do a DNS query on www.bing.com.
For example:
# dig www.bing.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.bing.com. IN A
;; ANSWER SECTION:
www.bing.com. 103 IN CNAME strict.bing.com. <-----
strict.bing.com. 103 IN A 204.79.197.220;; Received 67 B
;; Time 2019-04-05 14:34:52 PDT
;; From 172.16.95.16@53(UDP) in 196.0 ms
The user's web browser then connects to this address with the same search engine GUI, but any explicit content search is filtered out.
Check the DNS Filter log for the message DNS Safe Search enforced.
To check the DNS Filter Safe Search log from the CLI:
1: date=2019-04-05 time=14:34:53 logid="1501054804" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1554500093 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="204.79.197.220" msg="DNS Safe Search enforced" action="pass" sscname="strict.bing.com" cat=41 catdesc="Search Engines and Portals"
2: date=2019-04-05 time=14:34:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554500092 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN"To check the DNS Filter Safe Search on a Windows machine:
Safe Search Disabled:
Safe Search Enabled:
Note: SSL/SSH deep inspection is mandatory for safe search enforcement to work in case of encrypted dns traffic (DoH) being used.
Additional information.
For each search engine's safe search specifications, see its specification page:
For each search engine's safe search specifications, see its specification page:
