DNS response codes range from 0 to 5, but the most common response codes are:

• 0 – NoError: No error occurred; the query completed successfully.
• 3 – NXDOMAIN: Name Error; the domain name referenced in the query does not exist.

By design, FortiGate DNS filtering does not take any action when the DNS response contains no answer or no DNS record to modify, such as when the DNS server returns a NXDOMAIN (error code 3). In these cases, redirection to the block portal is not performed.

This behavior could create the following scenario in which a domain that is part of a category with action 'Redirect to block portal' on the DNS, filtering profile, appears like it is not correctly being redirected to the block portal IP.

Consider the following scenario:

The domain test.lab.local is part of category 'Newly Observed Domain' which is set to 'Redirect to block portal' in the DNS Filter profile under Security Profiles -> DNS filter:

However, when the user does a nslookup for this domain, on the DNS logs under Log & Report -> Security Events -> DNS Query, the action=pass is seen:

date=2025-06-25 time=11:13:06 eventtime=1750875186766336394 tz="-0700" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" policyid=9 poluuid="eded1e8e-c158-51ed-48a2-07c142c3f52a" policytype="policy" sessionid=1121 srcip=192.168.10.43 srcport=59194 srccountry="Reserved" srcintf="port2" srcintfrole="lan" dstip=192.168.1.89 dstport=53 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=17 profile="default" srcmac="0c:27:eb:da:00:00" xid=5 qname="test.lab.local" qtype="AAAA" qtypeval=28 qclass="IN" msg="Domain is monitored" action="pass" cat=90 catdesc="Newly Observed Domain" rcode=3

Since the DNS response contains RCODE 3 (NXDOMAIN) then FortiGate does not alter the response since there is no DNS record to modify. It is also important to note that, since the response contains no IP address, the client will not be able to reach the domain regardless.

Once an A record is added in the DNS server for the domain test.lab.local, the DNS filter logs show the action=redirect:

date=2025-06-25 time=11:10:49 eventtime=1750875049438784075 tz="-0700" logid="1501054803" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=9 poluuid="eded1e8e-c158-51ed-48a2-07c142c3f52a" policytype="policy" sessionid=841 srcip=192.168.10.43 srcport=64140 srccountry="Reserved" srcintf="port2" srcintfrole="lan" dstip=192.168.1.89 dstport=53 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=17 profile="default" srcmac="0c:27:eb:da:00:00" xid=5 qname="test.lab.local" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2001:cdba::3257:9652" msg="Domain belongs to a denied category in policy" action="redirect" cat=90 catdesc="Newly Observed Domain"

Since there is no rcode=3 and the DNS response contains a DNS record, the FortiGate modifies the DNS response with the redirect portal.

If it is still desired to see the action=redirect, for a domain with has a DNS response with RCODE=3, it is possible to create a domain filter for this domain and set the action to 'Redirect to Block portal'.

FortiGate will check this domain against the static domain table and will not wait for a DNS response, and it will redirect to the Block portal.

Note: This behavior is valid for FortiOS versions 7.2.9+, 7.4.5+, 7.6.0+.