Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aley
New Contributor

DNS Filter: Enable Safe search for Google, but don't restrict YouTube

We're using a few FortiGate 50E with FortiOS 5.6.2 and DNS filtering, which works great (properly enforces SafeSearch over SSL/TLS without requiring a local certificate to be installed).

 

However, when Safe search is enforced, YouTube restrictions must be set to "strict" or "moderate". Even moderate YouTube restriction blocks LOTS of videos that aren't in any way problematic for a school.

 

Is there a way to have Safe search enabled for search engines (Google, Bing, etc.) but not restrict YouTube?

1 Solution
jonathanaxford

Hi all,

 

I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 

 

Cheers

Jon

View solution in original post

11 REPLIES 11
Dave_Hall

An alternate solution from the old Cookbook receipt (pre-dating the DNS filter) is to set up a local DNS database and/or create a hairpin "loopback" dns server to "enforce" or redirect DNS queries to itself, for google safe search. 

 

The original source link was https://cookbook.fortinet.com/blocking-adultmature-content-google-safesearch/ but the site has since been moved "in-house" to docs.fortinet.com, so not sure where the document is now or if it's been revised or need to.

 

My original scripting notes for the setup as follow, though I do recall adding/adjusting something to get it to fully work (I think it was adding another DNS record.)

 

================================= config system interface edit "dns-loop" set vdom "root" set ip 10.10.10.10 255.255.255.255 set type loopback next end ================================= config system settings set gui-dns-database enable end ================================= config system dns-database edit "Google" set domain "google.com" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 216.239.38.120 next edit 2 set hostname "google.com" set ip 216.239.38.120 next end next edit "Google Canada" set domain "google.ca" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 216.239.38.120 next end next end ================================= config system dns-server edit "internal_net" next edit "dns-loop" next end ================================= config firewall vip edit "dns-vip" set type load-balance set src-filter "192.168.93.1-192.168.93.250" set extip 0.0.0.0-239.255.255.255 set extintf "internal_net" set arp-reply disable set portforward enable set mappedip "10.10.10.10" set protocol udp set extport 53 set mappedport 53 next end ================================= config firewall policy edit 0 set name "Map-to-DNS-Internal" set srcintf "internal_net" set dstintf "dns-loop" set srcaddr "all" set dstaddr "dns-vip" set action accept set schedule "always" set service "DNS" next end =================================

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
aley
New Contributor

Three years in, there is still no simple solution. :(

 

I thought that maybe the newly added Static Domain Filter in FortiOS 6 could be used to override the results, but it doesn't seem to be applied to responses that were modified by the Safe Search functionality.

Labels
Top Kudoed Authors