Troubleshooting Tip: DNS filter rules change

This article describes why DNS filter rules change is sometimes does not take effect immediately.

FortiGate DNS filter behavior is as follows: 

1) Receiving a DNS query fortiGate will forward it to its destination while obtaining the relevant category from FortiGuard servers.

2) Once the DNS response arrives, FortiGate will hold it until category information is obtained and act accordingly: 

- If allowed, simply forward the response to the client.

- if blocked, FortiGate will replace the resolved IP with the IP of the blocked page.

This behavior can lead to a situation where changed the rule is changed for certain domain from block to allow (or vice versa) but the clients are still resolving with the block page IP.  

This is typically caused in cases where local DNS server is placed before the Fortigate DNS filter.

When FortiGate responds with the IP of the blocked page, the local DNS server will cache the information and will respond to the clients from its cache. 

Therefore any rules changes in the FortiGate DNS filter might not be respected immediately.

1) Wait for DNS server cache for the specific zone to expire. This time will differ as it depends on the zone configuration, it might be from a couple of minutes to a couple of days.

2) Manually clear the DNS server cache. 

3) Alternatively, it is possible to configure the FortiGate to do not display a block page but respond with NXDOMAIN or SERVFAIL codes for queries which are blocked: 

# config dnsfilter profile 

    edit "demo"  

        set block-action block  <----- Or 'block-sevrfail' alternatively.
    end