Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

DNS Filtering not available in proxy policy rules

Hi,

In a VDOM used to proxy clients request (acts as a proxy server on 8080), although DNS filter is enabled in feature visibility, but is not displayed (everything is there, WAF, IPS, Web, ...) but DNS filter is not present

 

In the other VDOMs, such as a VDOM linked to the one mentioned above which has direct Internet access, DNS filter is present but as I said in Proxy polices in our Proxy VDOM serving clients request it is not present.

 

Thanks in advance for your help

 

Regards

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
1 Solution
pminarik

It is not that FortiOS explicit proxy doesn't support it, it is that proxy clients do not pass their DNS requests through the proxy. They don't resolve the FQDNs of websites requested through the proxy at all.

 

When a proxy client wants to connect to www.example.com through the proxy, it does not do any DNS lookup, it directly sends a request to the proxy:
GET http://www.example.com
or
CONNECT https://www.example.com

 

DNS lookup is then handled by the proxy itself. (so the proxy itself can connect to the desired server to facilitate the connection)

 

Feel free to install Wireshark on some test client of yours to verify this client behaviour yourself. Focus on DNS traffic (UDP/53) and proxy traffic (by default TCP/8080 in FortiOS, but maybe you changed it).

 

As such, try using webfilter profile in the proxy policy, making sure you're blocking the Malicious Websites category. I'm not sure if this is 100% the case, but I have checked a handful of FQDNs from the botnet list, and they were all categorized as "Malicious Websites" by the FortiGuard webfilter rating.

[ corrections always welcome ]

View solution in original post

20 REPLIES 20
pminarik

It is not that FortiOS explicit proxy doesn't support it, it is that proxy clients do not pass their DNS requests through the proxy. They don't resolve the FQDNs of websites requested through the proxy at all.

 

When a proxy client wants to connect to www.example.com through the proxy, it does not do any DNS lookup, it directly sends a request to the proxy:
GET http://www.example.com
or
CONNECT https://www.example.com

 

DNS lookup is then handled by the proxy itself. (so the proxy itself can connect to the desired server to facilitate the connection)

 

Feel free to install Wireshark on some test client of yours to verify this client behaviour yourself. Focus on DNS traffic (UDP/53) and proxy traffic (by default TCP/8080 in FortiOS, but maybe you changed it).

 

As such, try using webfilter profile in the proxy policy, making sure you're blocking the Malicious Websites category. I'm not sure if this is 100% the case, but I have checked a handful of FQDNs from the botnet list, and they were all categorized as "Malicious Websites" by the FortiGuard webfilter rating.

[ corrections always welcome ]
mhdganji

Thanks for your help and time. The DNS lookup, as you suggested is definitely handled by proxy service and server as always. BUT, the Fortigate itself is my proxy server and handles the DNS requests while serving clients. Therefore, I expect it to do DNS (botnets C&C filtering)

 

Meanwhile, the same repository for malicious and botnet hosts (or at least being very similar) is very interesting but there is a point. Web filtering requires license while DNS filtering works by base license if I\m not wrong here.

 

Anyway thanks again for your complete and comprehensive answer.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
pminarik

Happy to help!

Two points of feedback to your reply:

 


@mhdganji wrote:

the Fortigate itself is my proxy server and handles the DNS requests while serving clients. Therefore, I expect it to do DNS (botnets C&C filtering)


I can certainly understand this question, but we should highlight that in general a FortiGate by default does not filter its own traffic (which the DNS queries for proxy clients technically is). And regardless, applying the webfilter to proxy-policies should achieve the same results in this specific scenario.

 


@mhdganji wrote:

Web filtering requires license while DNS filtering works by base license if I\m not wrong here.


This part is actually incorrect I'm afraid. FortiGuard rating for DNS filtering falls under the same license as FortiGuard rating for webfiltering. You can refer to the FortiGuard services datasheet to see which feature is bundled with what: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGuard_Security_Services.pdf

web and DNS filtering service snippetweb and DNS filtering service snippet

 

 

[ corrections always welcome ]
mhdganji

Hi @pminarik 

 

About the second parts, yes you're right.

For the first part, may I propose this one as a feature request?

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
ck8882
New Contributor II

HI pminarik,

 

The information is great and useful.

 

However, may i know why DNS filtering only available in type - transparent in proxy policy rules? What is the logic behind? could share some idea?

 

Thanks

pminarik

In a scenario with a traditional explicit web proxy, DNS traffic doesn't flow >through< the proxy (=FortiGate), the client tells the proxy what it wants to access (gives the FQDN) and the proxy deals with DNS on its own.

 

The client will send requests like below to the proxy:

GET www.example.com 
CONNECT https://www.example.com 

 

Since DNS traffic doesn't get proxied through a traditional web-proxy, there's no need for a DNS filter to be available in explicit proxy policies.

----------

As was as "trasparent explicit proxy" rules, I would expect the same limitation to apply, but primarily because the "redirect to proxy" function in regular firewall policies is supposed to forward only HTTP/S traffic to the transparent proxy.

 

Moreover, I don't even see the option to add a DNS filter to a transparent proxy rule. Which exact firmware version are you seeing this in?

[ corrections always welcome ]
ck8882
New Contributor II

HI pminarik,

 

Thanks for your information. 

 

The firmware version is 7.0 and above.

 

DNS filter.JPGTransparent.JPG

 

Regarding the statement "In a  traditional explicit web proxy", does it mean there is new way for explicit web proxy with DNS filtering? Like explicit web proxy configure as DNS server and Client set DNS as explicit web proxy unit? Happy to see if there is other way.

 

Thanks

pminarik

No new way.

I'm calling it traditional because that's what it is, and because there are other way of processing traffic which could arguably be called "proxied".

Firewall policy + redirect to transparent proxy also proxies the traffic.  

Firewall policy alone in proxy-mode inspection also proxies the traffic.

[ corrections always welcome ]
AEK
Honored Contributor

Hi Mhdganji

I think DNS filtering is old world technique and is not suitable for today's web anymore. Nowadays Web Filtering is the right way to do.

AEK
AEK
mhdganji
Contributor II

Hi,

 

With DNS filtering, the blocking botnet and c&c ip's is my main goal. Anyway to do that via web filtering?

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Labels
Top Kudoed Authors