FortiGate can be set to forward the incoming DNS request to FortiGate's system DNS and apply the DNS filter at this level only.

With this, all the DNS queries of LAN users can be scanned and only trusted categories are allowed to connect.

1. Config the system DNS:

config system dns

set primary 8.8.8.8

set secondary 4.2.2.2

end

2. Configure FortiGate as DNS server:

Go to Network -> DNS servers and, under 'DNS Service on Interface', select Create new.
Select the FortiGate network Interface to serve the DNS service.
Set the DNS Filter profile.

config system dns-server

edit "port3"

set mode forward-only

set dnsfilter-profile "default"

next

end

If more than one network is connected with different interfaces, add all of them under DNS Servers.

config system dns-server

edit "port3"

set mode forward-only

set dnsfilter-profile "default"

next

edit "port4"

set mode forward-only

set dnsfilter-profile "default"

next

end

3. If a DNS service or its IP is being hosted on multiple interfaces, make sure to have the allow policy for DNS traffic between the listening interfaces.

config firewall policy

edit 1

set name "dns"
set uuid 3b2eebb6-5fd0-51ef-e636-6e10eadad162
set srcintf "port3" "port4"
set dstintf "port3" "port4"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"

next

end

5. Set the FortiGate interface IP as the DNS server IP in the end user machine.

If FortiGate is used as a DHCP server, push the IPs from the DHCP settings:

Now, when performing an nslookup for the trusted domain name, the DNS query will arrive at FortiGate and be forwarded to the DNS server.
When the response comes from the FortiGate System DNS, it will be verified with the DNSfilter action and the response will be sent to the client PC.