Solution

DNS Filter Profile inspects DNS traffic passing through FortiGate and can be configured with Allow/Monitor/Block or Redirect decision(s) for the inspected traffic.

A DNS Filtering service is necessary for the DNS Filter Profile to work. Such a service is already included in Web Filtering Service with a valid License on FortiGate.

Problem:

From the FortiGate GUI, under Network -> DNS page, the service shows inactive. In addition, on running the following command in CLI: 'diagnose test application dnsproxy 3', the output shows 'FGD_DNS_SERVICE_LICENSE:' without any value, which indicates the DNS Filtering service is not active, given that FortiGate already has a valid Web Filtering service.

Solution:

To enable the DNS Filtering service, confirm the 'DNS Filter' listed under the Security Profiles page. This may require enabling it from System -> Feature Visibility page:

Make sure there's at least one DNS Filter Profile attached to a firewall policy:

Under Network -> DNS page, the DNS Filtering service should show active. In addition, re-run the following command and check the output.

Output should show that the service is valid and running:

diagnose test application dnsproxy 3
FGD_DNS_SERVICE_LICENSE:
server=139.138.105.53:853, expiry=2026-02-14, expired=0, type=2
server=173.243.140.53:853, expiry=2026-02-14, expired=0, type=2
FGD_CATEGORY_VERSION:10
SERVER_LDB: gid=c2a0, tz=-420, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2620:101:9000:53::55]

Note:

There could be other reasons, such as routing, reachability, blocked UDP port, etc., that affect the DNS Filtering service.