mhdganji
Contributor

Read inside DNS requests

Hi, 

I'd like to be able to inspect within normal DNS requests passing firewall and find the record they are trying to query. For instance, clients goes to query DNS record for google.com and this request passes firewall policies. I want to know which is the destination address queried (here, google.com)

 

Is that possible with FortiOS?

 

Regards,

 

1 Solution
Yurisk
Valued Contributor

Sure, just do a packet sniffer on CLI (or even in the GUI in versions 7.2 or newer) and it will show you contents of the DNS packets:

dia sni pa any 'port 53' 6

The sniffer filter syntax is the one of Tcpdump.

 

I recorded a video of how to do it in the GUI (7.2 or newer only, in older versions you have to sniff and then download packets to the local host, you cannot see packets' content in the Fortigate GUI itself): https://yurisk.info/2022/04/21/fortios-7-2-new-improved-packet-sniffer-in-gui/ 

 

Cheers

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

6 REPLIES 6
syordanov
Staff
Staff

Dear mhdganji,


You can use DNS filtering, DNS filtering looks at the "nameserver" response, which typically occurs when you connect to a website.

When a device initiate a DNS lookup, it sends the FQDN information in the initial request. When Fortigate receives the DNS request from the client, it sends a simultaneous request to the Fortiguard SDNS servers. With Fortiguard SDNS service, there are two possible results :

1. Category is allowed, the original response is passed .
2. Category is blocked, Fortigate orverrides the site's IP address with Fortiguard override address and present a DNS error to the client.


This is very usefull, because connection to specific web page could be blocked before HTTP request is even sent.

Some usefull KB:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/968395/dns-filtering
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/572589/how-to-configure-and-apply-a-dns-...
https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/605868/dns-filter

Best regards,

Fortinet

.
mhdganji

Thanks but this is not what I was looking for. DNS requests are just passing firewall from client to a MS DNS.

I used packet filtering and exported the log, viewed it in wireshark and done.

 

I wonder if there is any method to see these logs inside fortigate box without wireshark or 3rd party software.

 

 

syordanov
Staff
Staff

Hello mhdganji,

No, there is no other way to see these logs expect if you have DNS filtering.

 

.
Yurisk
Valued Contributor

Sure, just do a packet sniffer on CLI (or even in the GUI in versions 7.2 or newer) and it will show you contents of the DNS packets:

dia sni pa any 'port 53' 6

The sniffer filter syntax is the one of Tcpdump.

 

I recorded a video of how to do it in the GUI (7.2 or newer only, in older versions you have to sniff and then download packets to the local host, you cannot see packets' content in the Fortigate GUI itself): https://yurisk.info/2022/04/21/fortios-7-2-new-improved-packet-sniffer-in-gui/ 

 

Cheers

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
mhdganji
Contributor

So far so good. Another question:

 

Is there anyway to filter packets based on DNS requests. I mean, I'd like to drop DNS requests from a source to a destination if their request is looking for a specific domain or record (or is not looking for specific records)

 

For example, if clients are sending queries for our internal domain records, that would be OK but if the DNS query is destined for anything except *.internaldomain.net, it should be detected and blocked.

 

Appreciate your answers.

mhdganji

Using DNS static domain filtering I could do that ...