DNS Filter: Enable Safe search for Google, but don't restrict YouTube
We're using a few FortiGate 50E with FortiOS 5.6.2 and DNS filtering, which works great (properly enforces SafeSearch over SSL/TLS without requiring a local certificate to be installed).
However, when Safe search is enforced, YouTube restrictions must be set to "strict" or "moderate". Even moderate YouTube restriction blocks LOTS of videos that aren't in any way problematic for a school.
Is there a way to have Safe search enabled for search engines (Google, Bing, etc.) but not restrict YouTube?
I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter.
An alternate solution from the old Cookbook receipt (pre-dating the DNS filter) is to set up a local DNS database and/or create a hairpin "loopback" dns server to "enforce" or redirect DNS queries to itself, for google safe search.
My original scripting notes for the setup as follow, though I do recall adding/adjusting something to get it to fully work (I think it was adding another DNS record.)
================================= config system interface edit "dns-loop" set vdom "root" set ip 10.10.10.10 255.255.255.255 set type loopbacknext end ================================= config system settings set gui-dns-database enable end ================================= config system dns-database edit "Google" set domain "google.com" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 22.214.171.124 next edit 2 set hostname "google.com" set ip 126.96.36.199 next end next edit "Google Canada" set domain "google.ca" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 188.8.131.52 next end next end ================================= config system dns-server edit "internal_net" next edit "dns-loop" next end ================================= config firewall vip edit "dns-vip" set type load-balance set src-filter "192.168.93.1-192.168.93.250" set extip 0.0.0.0-184.108.40.206 set extintf "internal_net" set arp-reply disable set portforward enable set mappedip "10.10.10.10" set protocol udp set extport 53 set mappedport 53 next end ================================= config firewall policy edit 0 set name "Map-to-DNS-Internal" set srcintf "internal_net" set dstintf "dns-loop" set srcaddr "all" set dstaddr "dns-vip" set action accept set schedule "always" set service "DNS" next end =================================
Three years in, there is still no simple solution. :(
I thought that maybe the newly added Static Domain Filter in FortiOS 6 could be used to override the results, but it doesn't seem to be applied to responses that were modified by the Safe Search functionality.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.