| Description |
This article describes how a DNS filter works and the options available to apply a DNS filter profile. It can be used with a firewall policy as well as from a DNS server recursive interface. |
| Scope | All FortiOS. |
| Solution |
FortiGate can only intercept or block a DNS query if the DNS request is coming to the FortiGate itself or if it is passing through a firewall policy for public DNS servers.
Below is an explanation of why FortiGate was unable to block a filtered domain even if a DNS filter is applied in the firewall policy.
Setup:
Test-PC (10.162.13.127) ---------> (port3) FortiGate ----> Internet.
The gateway IP for the PC is Port3 IP on firewall 10.162.8.44.
Firewall policy has been configured from Port3 towards the internet, where a DNS filter is applied:
config firewall policy
Below is the DNS filter to block Yahoo domain:
In this case, there was no DNS query coming to the Firewall; this could be due to a DNS cache entry already available on local machines, or the previously mentioned DNS server is not routed from the firewall. In other scenarios, DNS filter is not applied when the DNS server configured on the end user machine is an internal DNS service hosted inside the network. This internal DNS server is responsible for either responding to or recursively resolving the DNS queries, so FortiGate does not participate in the process.
To test the behavior, FortiGate port3 interface IP has been selected as the DNS server on the local PC:
With the above setup, a DNS filter can be applied at the interface level as well.
Now DNS query is received on FortiGate :
The domain was blocked by the firewall DNS filter successfully:
Note: In case using FortiGate interface as DNS, it should be selected as recursive mode only, otherwise the DNS query might be dropped on the FortiGate interface itself.
Related article: |
