Thanks for your help and time. The DNS lookup, as you suggested is definitely handled by proxy service and server as always. BUT, the Fortigate itself is my proxy server and handles the DNS requests while serving clients. Therefore, I expect it to do DNS (botnets C&C filtering)

Meanwhile, the same repository for malicious and botnet hosts (or at least being very similar) is very interesting but there is a point. Web filtering requires license while DNS filtering works by base license if I\m not wrong here.

Anyway thanks again for your complete and comprehensive answer.

Happy to help!

Two points of feedback to your reply:

---

@mhdganji wrote:

the Fortigate itself is my proxy server and handles the DNS requests while serving clients. Therefore, I expect it to do DNS (botnets C&C filtering)

---

I can certainly understand this question, but we should highlight that in general a FortiGate by default does not filter its own traffic (which the DNS queries for proxy clients technically is). And regardless, applying the webfilter to proxy-policies should achieve the same results in this specific scenario.

---

@mhdganji wrote:

Web filtering requires license while DNS filtering works by base license if I\m not wrong here.

---

This part is actually incorrect I'm afraid. FortiGuard rating for DNS filtering falls under the same license as FortiGuard rating for webfiltering. You can refer to the FortiGuard services datasheet to see which feature is bundled with what: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGuard_Security_Services.pdf

web and DNS filtering service snippet

Hi @pminarik 

About the second parts, yes you're right.

For the first part, may I propose this one as a feature request?

HI pminarik,

The information is great and useful.

However, may i know why DNS filtering only available in type - transparent in proxy policy rules? What is the logic behind? could share some idea?

Thanks

In a scenario with a traditional explicit web proxy, DNS traffic doesn't flow >through< the proxy (=FortiGate), the client tells the proxy what it wants to access (gives the FQDN) and the proxy deals with DNS on its own.

The client will send requests like below to the proxy:

GET www.example.com 
CONNECT https://www.example.com 

Since DNS traffic doesn't get proxied through a traditional web-proxy, there's no need for a DNS filter to be available in explicit proxy policies.

----------

As was as "trasparent explicit proxy" rules, I would expect the same limitation to apply, but primarily because the "redirect to proxy" function in regular firewall policies is supposed to forward only HTTP/S traffic to the transparent proxy.

Moreover, I don't even see the option to add a DNS filter to a transparent proxy rule. Which exact firmware version are you seeing this in?

HI pminarik,

Thanks for your information. 

The firmware version is 7.0 and above.

Regarding the statement "In a  traditional explicit web proxy", does it mean there is new way for explicit web proxy with DNS filtering? Like explicit web proxy configure as DNS server and Client set DNS as explicit web proxy unit? Happy to see if there is other way.

Thanks

No new way.

I'm calling it traditional because that's what it is, and because there are other way of processing traffic which could arguably be called "proxied".

Firewall policy + redirect to transparent proxy also proxies the traffic.  

Firewall policy alone in proxy-mode inspection also proxies the traffic.

Hi,

With DNS filtering, the blocking botnet and c&c ip's is my main goal. Anyway to do that via web filtering?