Troubleshooting Tip: 'Web page blocked!' error with an internal DNS server

Topology:

Context:

The computer has the internal DNS server configured as 192.168.1.20, as shown in the following image:

Check website domain resolution via Command Prompt:

The FQDN resolved to IP 208.91.112.55, which belongs to the FortiGuard default portal. Upon reviewing one of the DNS profiles, it was identified that this IP is associated with the Redirect portal. The blocking message appears because the DNS profile is responsible for the block.

The LAN to WAN firewall policy has DNS and Web filter security profiles.

Below are the possible solutions for the scenario and problem raised:

1. Run the command 'Clear-DnsServerCache' on the DNS server after production hours in the Windows DNS server.
2. Create a new firewall policy allowing DNS service (port 53) from the DNS server IP to the Internet, without applying DNS security profiles. Place this new policy above the existing Internet firewall policy. The firewall policy should be structured as follows:
   
   

3. Allow the website from the DNS Profile using the Static Domain Filter. 

After the changes, users who have the Internal DNS server configured should not experience these types of blocks when consulting websites.

If disabling the DNS filter is not a feasible option, make sure that the category of the URL that is trying to resolve falls under the allowed/monitor category. More information is available in FortiGuard category-based DNS domain filtering.

To use an alternative block option like Return NXDOMAIN or SERVFAIL other than redirect to block portal refer to this article Technical Tip: Various Block option under DNS filter.

For more DNS filter troubleshooting assistance, refer to this document: Troubleshooting for DNS filter.