DNS filter can be applied over FortiGuard Category Based Filter and Static Domain Filtering under DNS filter. This article focuses on the block options available in DNS filter.

Below are the commands to view the option under block-action:

config dnsfilter profile
    edit <DNS profile name>
        set block-action redirect

block                      Return NXDOMAIN for blocked domains.
redirect  (Default)        Redirect blocked domains to SDNS portal.
block-sevrfail                    Return SERVFAIL for blocked domains.

In the below example, the user tries to access a website that belongs to a blocked category in the DNS filter. As for default behavior, the user gets a response back but the IP address from the answer
belongs to the block page from FortiGuard. In some environments, a successful response triggers a false positive event for which it is recommended to use option 2 or option 3.

Below is how the block page looks like:

1. Redirect: Redirect blocked domains to the SDNS portal.

nslookup  results 

Non-authoritative answer:
Name: google.com
Addresses: 2001:cdba::3257:9652
208.91.112.55

2. Block: Return NXDOMAIN for blocked domains.

This indicates that the DNS server successfully received the request but could not find a matching IP address to the provided domain name.

nslookup google.com 8.8.8.8
Server: UnKnown
Address: 8.8.8.8

*** UnKnown can't find google.com: Non-existent domain

3. block-sevrfail: Return SERVFAIL for blocked domains.

This indicates that the DNS server responsible for resolving domain names into IP addresses is not responding or is experiencing some issues.

nslookup google.com 8.8.8.8
Server: UnKnown
Address: 8.8.8.8

*** UnKnown can't find google.com: Server failed

For all the above blocks the DNS filter logs look the same. Block behaviors depend upon the chosen block action under the DNS profile: