Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff
Staff

Created on ‎10-16-2024 10:27 PM

Article Id 349929

Technical Tip: DNS Filter with External Domain Threat Feed does not block DNS Resolutions with uppercase Domain Names

Description This article describes the workaround and fixes for an issue where the DNS filter, configured with an external domain threat feed to block certain domain names, fails to block DNS resolution for uppercase domain names when the firewall policy is in flow-based inspection mode.
Scope FortiGate v7.2.8.
Solution

When the DNS filter is configured with an external domain threat feed to block specific domains, DNS resolution may still succeed if the domain name in the threat feed is in uppercase, especially when the firewall policy is set to flow-based inspection mode.
However, in proxy-based inspection mode, the DNS resolution is successfully blocked.

config dnsfilter profile
    edit "dnsfilter_ext"
        config ftgd-dns
            set options error-allow
                config filters
                    edit 1
                        set category 194 # 194 Ext-Resource-Type-as-Domain-1
                        set action block
                    next
                end
        end
    set log-all-domain enable
    set block-action block
    next
end

diagnose sys external-resource list Ext-Resource-Type-as-Domain-1 | grep fortine

http://www.fortinet.com

The issue in Flow-Based Inspection Mode:
When performing a DNS lookup with an uppercase domain name (for example 'www.FORTINET.com') in flow-based mode, the DNS filter fails to block the query.

diagnose debug app dnsproxy -1
diagnose debug enable
[464@1]dns_dissector: Operation Code: 0 flags 0x100
[468@1]dns_dissector: Operation Code: 0 flags 0x100
[468@1]dissect_query_records: dns request: name http://www.FORTINET.com, type 1, class 0x1, size 15
[468@1]ips_eng_log_dnsfilter: sess:706 profile:dnsfilter_ext action:0 name:http://www.FORTINET.com category:0
[468@1]dns_dissector: Operation Code: 0 flags 0x8180
[468@1]dissect_query_records: dns request: name http://www.FORTINET.com, type 1, class 0x1, size 15
[468@1]dissect_answer_records: dns reply: name http://www.FORTINET.com, type 5, class 0x1, size 2
[468@1]dissect_answer_records: dns reply: name http://www.fortinet.com.akadns.net, type 5, class 0x1, size 2
[468@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net, type 5, class 0x1, size 2
[468@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net.globalredir.akadns.net, type 5, class 0x1, size 2
[468@1]dissect_answer_records: dns reply: name e2867.dsca.akamaiedge.net, type 1, class 0x1, size 2
[468@1]dns_type_a: 184.29.118.114
[468@-1]ips_handle_dnsfilter_fgd_answer: sess:1, id:1, action:0, resume:1, error:0, category:52, byip:0, log:1
[468@-1]ips_eng_log_dnsfilter: sess:706 profile:dnsfilter_ext action:0 name:http://www.FORTINET.com category:52
[464@1]dns_dissector: Operation Code: 0 flags 0x8180
[464@1]dissect_query_records: dns request: name http://www.FORTINET.com, type 28, class 0x1, size 15
[464@1]dissect_answer_records: dns reply: name http://www.FORTINET.com, type 5, class 0x1, size 2
[464@1]dissect_answer_records: dns reply: name http://www.fortinet.com.akadns.net, type 5, class 0x1, size 2
[464@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net, type 5, class 0x1, size 2
[464@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net.globalredir.akadns.net, type 5, class 0x1, size 2
[464@1]dissect_answer_records: dns reply: name e2867.dsca.akamaiedge.net, type 28, class 0x1, size 2
[464@1]dns_type_aaaa: 2600:140a:1000:196::b33
[464@1]dissect_answer_records: dns reply: name e2867.dsca.akamaiedge.net, type 28, class 0x1, size 2
[464@1]dns_type_aaaa: 2600:140a:1000:192::b33
[464@-1]ips_handle_dnsfilter_fgd_answer: sess:1, id:1, action:0, resume:1, error:0, category:52, byip:0, log:1
[464@-1]ips_eng_log_dnsfilter: sess:705 profile:dnsfilter_ext action:0 name:http://www.FORTINET.com category:52 --------------------->>>>

1: date=2024-06-26 time=06:01:21 eventtime=1719338480404872659 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" policyid=1 poluuid="a110fd6e-330e-51ef-12e4-4f1398de9830" policytype="policy" sessionid=706 srcip=10.1.100.11 srcport=37901 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port9" dstintfrole="undefined" proto=17 profile="dnsfilter_ext" xid=30960 qname="http://www.FORTINET.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="184.29.118.114" msg="Domain is monitored" action="pass" cat=52 catdesc="Information Technology"

2: date=2024-06-26 time=06:01:21 eventtime=1719338480388540278 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" policyid=1 poluuid="a110fd6e-330e-51ef-12e4-4f1398de9830" policytype="policy" sessionid=706 srcip=10.1.100.11 srcport=37901 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port9" dstintfrole="undefined" proto=17 profile="dnsfilter_ext" xid=30960 qname="http://www.FORTINET.com" qtype="A" qtypeval=1 qclass="IN"

With a lowercase domain name, such as 'www.fortinet.com', DNS resolution is blocked as expected in flow and proxy-based inspection mode.

diagnose debug app dnsproxy -1
diagnose debug enable
[641@1]dns_dissector: Operation Code: 0 flags 0x100
[643@1]dns_dissector: Operation Code: 0 flags 0x100
[641@1]dissect_query_records: dns request: name http://www.fortinet.com, type 28, class 0x1, size 15
[643@1]ips_eng_log_dnsfilter: sess:827 profile:dnsfilter_ext action:0 name:http://www.fortinet.com category:0
[641@1]dns_dissector: Operation Code: 0 flags 0x8180
[641@1]dissect_query_records: dns request: name http://www.fortinet.com, type 28, class 0x1, size 15
[641@1]dissect_answer_records: dns reply: name http://www.fortinet.com, type 5, class 0x1, size 2
[641@1]dissect_answer_records: dns reply: name http://www.fortinet.com.akadns.net, type 5, class 0x1, size 2
[641@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net, type 5, class 0x1, size 2
[641@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net.globalredir.akadns.net, type 5, class 0x1, size 2
[641@1]dissect_answer_records: dns reply: name e2867.dsca.akamaiedge.net, type 28, class 0x1, size 2
[641@1]dns_type_aaaa: 2600:140a:1000:192::b33
[641@1]dissect_answer_records: dns reply: name e2867.dsca.akamaiedge.net, type 28, class 0x1, size 2
[641@1]dns_type_aaaa: 2600:140a:1000:196::b33
[641@1]dnsfilter_check_external_category: Found http://www.fortinet.com in external category 194
[641@1]ips_handle_dnsfilter_fgd_answer: sess:1, id:0, action:1, resume:0, error:0, category:194, byip:0, log:1
[641@1]set_dns_error_message: DNS send UDP error response NXDOMAIN to session 1
[641@1]ips_eng_log_dnsfilter: sess:828 profile:dnsfilter_ext action:1 name:http://www.fortinet.com category:194
[643@1]dns_dissector: Operation Code: 0 flags 0x8180
[643@1]dissect_query_records: dns request: name http://www.fortinet.com, type 1, class 0x1, size 15
[643@1]dissect_answer_records: dns reply: name http://www.fortinet.com, type 5, class 0x1, size 2
[643@1]dissect_answer_records: dns reply: name http://www.fortinet.com.akadns.net, type 5, class 0x1, size 2
[643@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net, type 5, class 0x1, size 2
[643@1]dissect_answer_records: dns reply: name wwwds.fortinet.com.edgekey.net.globalredir.akadns.net, type 5, class 0x1, size 2
[643@1]dissect_answer_records: dns reply: name e2867.dsca.akamaiedge.net, type 1, class 0x1, size 2
[643@1]dns_type_a: 23.5.98.81
[643@1]dnsfilter_check_external_category: Found http://www.fortinet.com in external category 194
[643@1]ips_handle_dnsfilter_fgd_answer: sess:1, id:0, action:1, resume:0, error:0, category:194, byip:0, log:1
[643@1]set_dns_error_message: DNS send UDP error response NXDOMAIN to session 1
[643@1]ips_eng_log_dnsfilter: sess:827 profile:dnsfilter_ext action:1 name:http://www.fortinet.com category:194

1: date=2024-06-26 time=06:15:16 eventtime=1719339316331631774 logid="1501054803" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" policyid=1 poluuid="a110fd6e-330e-51ef-12e4-4f1398de9830" policytype="policy" sessionid=827 srcip=10.1.100.11 srcport=40767 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port9" dstintfrole="undefined" proto=17 profile="dnsfilter_ext" xid=61475 qname="http://www.fortinet.com" qtype="A" qtypeval=1 qclass="IN" msg="Domain belongs to a denied category in policy" action="block" cat=194 catdesc="Ext-Resource-Type-as-Domain-1" rcode=3

2: date=2024-06-26 time=06:15:16 eventtime=1719339316189435246 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" policyid=1 poluuid="a110fd6e-330e-51ef-12e4-4f1398de9830" policytype="policy" sessionid=827 srcip=10.1.100.11 srcport=40767 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port9" dstintfrole="undefined" proto=17 profile="dnsfilter_ext" xid=61475 qname="http://www.fortinet.com" qtype="A" qtypeval=1 qclass="IN"

This issue has been resolved in IPSE versions IPSE versions 7.2.7:0342, 7.4.4:0542, 7.6.0:1013|1014.

Workaround: Modify the Inspection Mode to Proxy-based in the firewall policy.
63
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.