This LAB testing involves FortiGate as a Firewall where a DNS filter security profile is applied and a PC Client (windows) as a client simulator

Static DNS filter with domain 'test.com'

There are 3 (three) action-settings:

• block:   Block DNS requests to macth the domain filter with logging.
• allow:   Allow DNS requests to match the domain filter without logging.
• monitor:  Allow DNS requests to match the domain filter with logging.

*block = redirect to block portal at GUI

The security profile for DNS filter:

Under Security profile - > 'DNS Filter' - > Log all DNS queries and responses must be disabled, so FortiGate will log only according to action setting on 'Static Domain Filter' list, any action on 'FortiGuard Category Based Filter' will not be logged.

Enable DNS-Server on FortiGate:

On client PCs – make sure DNS requests are forwarded to FortiGate interface IP (where the DNS-server is configured on FortiGate) – in this sample '192.168.11.1'.

Under 'Firewall Policy' - > Logging options - > enabled or disabled will not affect the logging behavior from DNSfilter – 'DNS Query'  – hence this logging will affect the 'Forward Traffic' log.

Complete setting view of DNS filter profile test.com

Performing a web browsing test from the client PC with destination:

• Google.com   -- action allow
• Detik.com      -- action block
• Cnn.com      -- action monitor

Conclusion:

• Only the domain with the 'allow' action is not logged, the others are logged.
• On the log display: 'monitor' action message will show as
• 'Domain was allowed because it is in the domain-filter list'

Related article:

Configuring a DNS filter profile