Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joh2k
New Contributor III

DNS Filter should redirect, but requests completed

Hello,

 

We have a fortigate FortiGate  v6.4.11 running in our dependencies, and we try to block any connection to botnet C&C

 

We've got a policy with 2 Security Profiles:

  1. DNS Filter redirects botnet C&C requests to Block Portal and uses Fortiguard Based Filter, where Malicious Websites, Phishing sites, spam URLS and Newly X Domains are also redirected to Block Portal.
  2. Application Control allows DNS traffic

When I use nslookup command to request an imaginary FQDN on a well-known malicious DNS server, Fortigate unexpectedly allows the request:

  • Policy ID: the defined one :)
  • Application: DNS
  • Application Action: detected
  • Application Category: Network.service
  • Applciation Risk: elevated
  • Service: DNS

On the other hand, other fields make think the request should not reach the malicious server

  • tdthreatname: Sinkhole
  • tdthreattype: Malware
  • tdtype: infected-ip
  • tdwfcate: Spyware and Malware

So the thing is that ApplicationControl allows DNS network service, but DNS should block it since it is directed to a known malicious server.

To my understanding, communication should be blocked.

I have read the administration guide but I see no clue.

 

Did anyone face that problem before?

 

Thanks for your help,

1 Solution
distillednetwork
Contributor III

To my knowledge DNS server doesn't validate the DNS Server itself just the DNS request as long as it's not HTTPS. If the domain requested is not matching any of those categories it should allow it.

 

You probably need to adjust your IPS filter to block access to the server itself.

 

 

View solution in original post

2 REPLIES 2
distillednetwork
Contributor III

To my knowledge DNS server doesn't validate the DNS Server itself just the DNS request as long as it's not HTTPS. If the domain requested is not matching any of those categories it should allow it.

 

You probably need to adjust your IPS filter to block access to the server itself.

 

 

joh2k

Thanks for your clarification.

 

Am I right if I say the following?

  • DNS Filter will redirect to a Block Portal any DNS request asking for blacklisted botnet domain, independnetly of the DNS server reputation.
  • IPS will block DNS requests to a blacklisted DNS server IP, independently of the FQDN being requested.

One tool complements the other, and both must be implemented to contain outgoing botnet communication.

Labels
Top Kudoed Authors