Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor

DNS Filtering not available in proxy policy rules

Hi,

In a VDOM used to proxy clients request (acts as a proxy server on 8080), although DNS filter is enabled in feature visibility, but is not displayed (everything is there, WAF, IPS, Web, ...) but DNS filter is not present

 

In the other VDOMs, such as a VDOM linked to the one mentioned above which has direct Internet access, DNS filter is present but as I said in Proxy polices in our Proxy VDOM serving clients request it is not present.

 

Thanks in advance for your help

 

Regards

1 Solution
pminarik

It is not that FortiOS explicit proxy doesn't support it, it is that proxy clients do not pass their DNS requests through the proxy. They don't resolve the FQDNs of websites requested through the proxy at all.

 

When a proxy client wants to connect to www.example.com through the proxy, it does not do any DNS lookup, it directly sends a request to the proxy:
GET http://www.example.com
or
CONNECT https://www.example.com

 

DNS lookup is then handled by the proxy itself. (so the proxy itself can connect to the desired server to facilitate the connection)

 

Feel free to install Wireshark on some test client of yours to verify this client behaviour yourself. Focus on DNS traffic (UDP/53) and proxy traffic (by default TCP/8080 in FortiOS, but maybe you changed it).

 

As such, try using webfilter profile in the proxy policy, making sure you're blocking the Malicious Websites category. I'm not sure if this is 100% the case, but I have checked a handful of FQDNs from the botnet list, and they were all categorized as "Malicious Websites" by the FortiGuard webfilter rating.

[ test signature, please ignore ]

View solution in original post

16 REPLIES 16
pminarik

It is not that FortiOS explicit proxy doesn't support it, it is that proxy clients do not pass their DNS requests through the proxy. They don't resolve the FQDNs of websites requested through the proxy at all.

 

When a proxy client wants to connect to www.example.com through the proxy, it does not do any DNS lookup, it directly sends a request to the proxy:
GET http://www.example.com
or
CONNECT https://www.example.com

 

DNS lookup is then handled by the proxy itself. (so the proxy itself can connect to the desired server to facilitate the connection)

 

Feel free to install Wireshark on some test client of yours to verify this client behaviour yourself. Focus on DNS traffic (UDP/53) and proxy traffic (by default TCP/8080 in FortiOS, but maybe you changed it).

 

As such, try using webfilter profile in the proxy policy, making sure you're blocking the Malicious Websites category. I'm not sure if this is 100% the case, but I have checked a handful of FQDNs from the botnet list, and they were all categorized as "Malicious Websites" by the FortiGuard webfilter rating.

[ test signature, please ignore ]
mhdganji

Thanks for your help and time. The DNS lookup, as you suggested is definitely handled by proxy service and server as always. BUT, the Fortigate itself is my proxy server and handles the DNS requests while serving clients. Therefore, I expect it to do DNS (botnets C&C filtering)

 

Meanwhile, the same repository for malicious and botnet hosts (or at least being very similar) is very interesting but there is a point. Web filtering requires license while DNS filtering works by base license if I\m not wrong here.

 

Anyway thanks again for your complete and comprehensive answer.

pminarik

Happy to help!

Two points of feedback to your reply:

 


@mhdganji wrote:

the Fortigate itself is my proxy server and handles the DNS requests while serving clients. Therefore, I expect it to do DNS (botnets C&C filtering)


I can certainly understand this question, but we should highlight that in general a FortiGate by default does not filter its own traffic (which the DNS queries for proxy clients technically is). And regardless, applying the webfilter to proxy-policies should achieve the same results in this specific scenario.

 


@mhdganji wrote:

Web filtering requires license while DNS filtering works by base license if I\m not wrong here.


This part is actually incorrect I'm afraid. FortiGuard rating for DNS filtering falls under the same license as FortiGuard rating for webfiltering. You can refer to the FortiGuard services datasheet to see which feature is bundled with what: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGuard_Security_Services.pdf

web and DNS filtering service snippetweb and DNS filtering service snippet

 

 

[ test signature, please ignore ]
mhdganji

Hi @pminarik 

 

About the second parts, yes you're right.

For the first part, may I propose this one as a feature request?

 

AEK
Contributor II

Hi Mhdganji

I think DNS filtering is old world technique and is not suitable for today's web anymore. Nowadays Web Filtering is the right way to do.

mhdganji

Hi,

 

With DNS filtering, the blocking botnet and c&c ip's is my main goal. Anyway to do that via web filtering?

Richie_C

Hi

 

You could check out IPS for the that. See the following article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-configure-Botnet-C-C-IP-blocking/ta-p/1979...

 

Thanks