Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Web filtering vs DNS filtering

Hi everyone,

 

If I understand well, Web filter gives you more control over the things you can allow or block, in addition you don't need to use the FortiGuard DNS servers, so you don't have this limitation. Then, my question is, why do you need DNS filter if you can do the same or better with Web filter? Any example?

 

Regards,

Julián

1 Solution
Yurisk
Valued Contributor

They both serve the same goal, but achieve it in very different ways. So one is not better nor worse than the other, but rather depends on the context.

 

  • In both services you do NOT need to use FOrtiGuard as DNS servers unless your Fortigate works on some old FortiOS like 5.6. The only requirements is that Fortigate sees DNS queries of the clients.
  • DNS FIltering (DNSF) works at the DNS queries requests, preventing clients to even get IP address for a malicious web site. So, with DNSF, client is not even trying to establish TCP/UDP connection to the website being blocked.
  • DNSF, unlike Web FIltering (WF), does not work with SSL certificates, so no need to inspect those - less resources are consumed.
  • WF can look inside HTTP packets to make a decision, which is more granular. The DNSF cannot - it decides based on the IP address only.
  • It may be not the case today, but some time ago DNSF was a separately licensed feature, so cost additional money.
  • Where possible, I use both, as I see them complementing each other - none of them 100% proof, but what isn't being caught by DNSF, would hopefully be with WF. 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

3 REPLIES 3
Yurisk
Valued Contributor

They both serve the same goal, but achieve it in very different ways. So one is not better nor worse than the other, but rather depends on the context.

 

  • In both services you do NOT need to use FOrtiGuard as DNS servers unless your Fortigate works on some old FortiOS like 5.6. The only requirements is that Fortigate sees DNS queries of the clients.
  • DNS FIltering (DNSF) works at the DNS queries requests, preventing clients to even get IP address for a malicious web site. So, with DNSF, client is not even trying to establish TCP/UDP connection to the website being blocked.
  • DNSF, unlike Web FIltering (WF), does not work with SSL certificates, so no need to inspect those - less resources are consumed.
  • WF can look inside HTTP packets to make a decision, which is more granular. The DNSF cannot - it decides based on the IP address only.
  • It may be not the case today, but some time ago DNSF was a separately licensed feature, so cost additional money.
  • Where possible, I use both, as I see them complementing each other - none of them 100% proof, but what isn't being caught by DNSF, would hopefully be with WF. 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
fjulianom
New Contributor III

Hi Yuri,

 

Very well explained. I thought DNS filtering needs to use FortiGuard DNS servers because it must use FortiGuard DNS service for DNS lookups, but I understand the FortiGate redirect DNS queries to FortiGuard DNS servers.

On the other hand, does DNS filter block or allow a DNS response based on FortiGuard categories in the same way as Web filter does?

 

Regards,

Julián

Yurisk
Valued Contributor

The need to use FortiGuard DNS servers as DNS was indeed in earlier versions of FortiOS, but somewhere along 6.0-6.2 it was lifted. 

Yes, DNSF can use Category-based filtering as well.

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.