I'm trying to understand how DNS filtering works on the Fortigate 6+. Does it only filter on DNS responses i.e. a DNS response flowing through the Fortigate or can it intercept a request and filter or respond to it?
basically DNS filtering uses specific DNS queries to obtain the rating of the requested domain from FortiGuard. This is called SDNS Query. So once a DNS query hits the dns filter it submits an SDNS Query to Fortiguard to get the rating and then checks if that is in an allowed cathegory. Cathegories are the same Fortiguard ones as in the Webfilter. If that check is true it will send the query on to the DNS Server. If the check is falls it will discard the query und the client will get a "NXDomain" (i.e. Domain is not available) as reply.
DNS Filters can be applied to policies but you could also apply it directly to an interface if you enable a DNS Service (Forward or rekursive) on the interface. In this case it would not be dependend of a policy.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
DNS queries can be filtered and blocked using the FortiGate DNS filter feature, which is based on the policies you set up on your FortiGate firewall.
The DNS request is intercepted by the FortiGate firewall, which then examines it in accordance with its DNS filtering policies.
You can either make your own list of domains to allow or prohibit, or you can utilise pre-made categories like social networking, gaming, or malware sites.
If the policy permits the domain, the DNS request is sent to the DNS server to resolve the domain name. In the event that the policy prohibits the domain, the DNS request is discarded and the user is routed to a block page.
DNS filtering on Fortigate 6+ can work in two modes: recursive mode and authoritative mode.
In recursive mode, Fortigate acts as a DNS client and sends DNS queries to DNS servers on behalf of the clients on the network. When Fortigate receives DNS responses, it can filter the responses based on policies configured by the administrator. In this mode, Fortigate cannot intercept a DNS request and filter or respond to it.
In authoritative mode, Fortigate acts as a DNS server for a particular domain or subdomain and can respond to DNS requests for that domain or subdomain. In this mode, Fortigate can intercept DNS requests and filter or respond to them based on policies configured by the administrator.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.