FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 260790
Description This article describes the various options that can be used to block under the DNS filter.
Scope FortiGate, FortiGuard.

DNS filter can be applied over FortiGuard Category Based Filter and Static Domain Filtering under DNS filter. This article focuses on the block options available in DNS filter.


Below are the commands to view the option under block-action:


config dnsfilter profile
    edit <DNS profile name>
        set block-action redirect


block                      Return NXDOMAIN for blocked domains.
redirect  (Default)        Redirect blocked domains to SDNS portal.
block-sevrfail                    Return SERVFAIL for blocked domains.


In the below example, the user tries to access a website that belongs to a blocked category in the DNS filter. As for default behavior, the user gets a response back but the IP address from the answer
belongs to the block page from FortiGuard. In some environments, a successful response triggers a false positive event for which it is recommended to use option 2 or option 3.


Below is how the block page looks like:


DNS blockpage .jpg


1. Redirect: Redirect blocked domains to the SDNS portal.


nslookup  results 

Non-authoritative answer:
Addresses: 2001:cdba::3257:9652


dns wireshark.jpg


2. Block: Return NXDOMAIN for blocked domains.


This indicates that the DNS server successfully received the request but could not find a matching IP address to the provided domain name.


Server: UnKnown


*** UnKnown can't find Non-existent domain




3. block-sevrfail: Return SERVFAIL for blocked domains.


This indicates that the DNS server responsible for resolving domain names into IP addresses is not responding or is experiencing some issues.


Server: UnKnown


*** UnKnown can't find Server failed


server failure.jpg


For all the above blocks the DNS filter logs look the same. Block behaviors depend upon the chosen block action under the DNS profile:


block log.jpg