Internet access to the different network segments is restricted by using security profiles such as web filters and application control.

This security feature uses WAD and IPS engine processes to decrypt and inspect the communication, which is FortiGate resources consuming, and also blocks the communication post-inspection of the encrypted traffic.

Since web filter and DNS filter domain categories are similar, DNS filter can be used to block unwanted, non-productive, or untrusted domain access at the client DNS lookup itself.

This will reduce the load on the FortiGate by blocking web access at DNS lookup and allowing only necessary domains to be further inspected by the other UTM profiles. When both a DNS and a web filter are configured on a firewall policy, the DNS filter takes precedence.

The common approach of DNS filter profile in FortiGate policies.

Scenario 1:

All the client machines are configured with a public DNS server.
Create user/different network segment security policies, and apply the DNS filter with necessary categories being blocked as per security and access restrictions for the segment.

For example:

There are two different network segments, LAN and WIFI, allowed to access the internet with different access restrictions:

• LAN user's DNS filter profile is configured with Pre-configured filters: PG-13
• WI-FI user DNS filter profile is configured with Pre-configured filters: G

Scenario 2:

All the client machines are configured with a local DNS server and the DNS server is using Public DNS as a forward DNS server.

In this case, the DNS filter should be applied in the client-to-local DNS server policy, and not in the DNS server to the Internet or Forward DNS server IP policy.

This is because if DNS Filter is applied in the local DNS server to the internet policy, then the action set for the FortiGuard Category in the applied DNS Filter will be applicable for all the DNS communication between them.
If the category is blocked, the DNS response from the forward DNS server will get modified to 'Redirect Portal IP'.

The DNS server will cache this DNS response and also resolve the respective domain name to "Redirect Portal IP" for all the users. With this, it will not be possible to achieve different security and access restrictions for the different users.

The best approach in this scenario is to create user/different network segment security policies and apply the DNS filter with necessary categories being blocked as per security and access restrictions for the segment. With different DNS filter profiles applied on the user's network to local DNS server policies, FortiGate will replace the domain address to 'Redirect Portal IP' for the specific domain based on the action set in the DNS filter applied in the matching policy.

Local DNS server to Forward DNS server communication is not interrupted, and the local DNS server will keep the actual domain address in the cache.

For example:

Policy ID 2 allows DNS communication from the local DNS to the Forward DNS server; no DNS filter is applied here to avoid the DNS cache of the local DNS server being updated with 'Redirect Portal IP'.

Policies 5 and 6, created for LAN network to DNS server and WIFI network to DNS server communication, and the respective DNS filter profile is applied. 

If the DNS filter is not blocking the access, then policies 6 and 7 will allow the client to connect to the domain/website, which is further inspected by other UTM profiles. 

Related document:

DNS filter