Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SoGo
New Contributor II

Block resolution by ip en fortigate dns server

Hello

 

I am evaluating migrating the dns service to fortigate, until now I have been able to configure it so that it resolves addresses by name, but it also does so by IP, what I want to achieve is that it does not resolve by IP, and only does so by name. I am using fortigate firmware version 7.0.5 If someone could guide me, I would really appreciate it.

 

this is the test lab setup configuration

 

SoGo_0-1650402156402.png

 

SoGo_1-1650402183393.png

 

 

 

1 REPLY 1
pminarik
Staff
Staff

Perhaps I am misunderstanding (please correct me if this is wrong), but my understanding of your request is that you are trying to block access to some devices when addressed by IP, i.e.:

 

https://some-hostname.domain.com => allow

https://192.0.2.1 => block

 

Am I understanding you correctly?

If no, please clarify what you meant instead.

If yes, then please note that such blocking cannot be performed by a DNS filter, because no DNS queries are generated when a service is being accessed directly by IP.

 

To perform such blocking, you would need (in general terms) a proxy/web-proxy/reverse-proxy that would need to inspect the HTTP headers of the clients' request and block requests that do not contain an HTTP host header (or do contain one, with IP as its content).

 

In FortiGate terms, this might be possible to implement with a webfilter profile, WAF profile, or perhaps with a custom IPS signature.

[ corrections always welcome ]
Labels
Top Kudoed Authors