Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shocko
New Contributor III

DNS Filtering Operation

I'm trying to understand how DNS filtering works on the Fortigate 6+. Does it only filter on DNS responses i.e. a DNS response flowing through the Fortigate or can it intercept a request and filter or respond to it? 

4 REPLIES 4
kmohan
Staff
Staff

Hi Shocko,

Please check the below documentations:

https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/605868/dns-filter


 

Karthick
sw2090
Honored Contributor

basically DNS filtering uses specific DNS queries to obtain the rating of the requested domain from FortiGuard. This is called SDNS Query. So once a DNS query hits the dns filter it submits an SDNS Query to Fortiguard to get the rating and then checks if that is in an allowed cathegory. Cathegories are the same Fortiguard ones as in the Webfilter. If that check is true it will send the query on to the DNS Server. If the check is falls it will discard the query und the client will get a "NXDomain" (i.e. Domain is not available) as reply.

 

DNS Filters can be applied to policies but you could also apply it directly to an interface if you enable a DNS Service (Forward or rekursive) on the interface. In this case it would not be dependend of a policy.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
rtichkule
Staff
Staff

Hello,

 

DNS queries can be filtered and blocked using the FortiGate DNS filter feature, which is based on the policies you set up on your FortiGate firewall.

 

The DNS request is intercepted by the FortiGate firewall, which then examines it in accordance with its DNS filtering policies.

 

You can either make your own list of domains to allow or prohibit, or you can utilise pre-made categories like social networking, gaming, or malware sites.

 

If the policy permits the domain, the DNS request is sent to the DNS server to resolve the domain name. In the event that the policy prohibits the domain, the DNS request is discarded and the user is routed to a block page.

 

BR

pavankr5
Staff
Staff

Hello @shocko,


DNS filtering on Fortigate 6+ can work in two modes: recursive mode and authoritative mode.

In recursive mode, Fortigate acts as a DNS client and sends DNS queries to DNS servers on behalf of the clients on the network. When Fortigate receives DNS responses, it can filter the responses based on policies configured by the administrator. In this mode, Fortigate cannot intercept a DNS request and filter or respond to it.

 

In authoritative mode, Fortigate acts as a DNS server for a particular domain or subdomain and can respond to DNS requests for that domain or subdomain. In this mode, Fortigate can intercept DNS requests and filter or respond to them based on policies configured by the administrator.

Thanks

Labels
Top Kudoed Authors