Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kdavidk
New Contributor

DNS Filtering

Hello,

i need to protect company network from access to dangerous and **bleep** pages.

 

I am thinking to put fortigate before our recursive dns servers and make filtrations of dns requests that cames to our DNS server from our internal network. Whould it work for dns filtering inthis way?

 

I dont want put all connectivity thru fg. From that reason i want to put it just as filter before dns server.

 

Will the the redirect and web filtering work this way? Can i make more profiles for different categories for different recursive servers?

 

Or it is bad idea to use it in this way?

 

We are talking about 800 dns requests / sec on total peak... From that reason i am thinking about fortigate 100F. Or it is overkill?

3 REPLIES 3
gfleming
Staff
Staff

May I ask why you don't want to use the FortiGate for all connectivity? It would be far more effective and simpler to manage in this case.

 

You need the FortiGate to be inserted at some point in the IP path from your endpoints->DNS Server/Lookups. This would require replacing your existing L3 device or your existing WAN device unless you want to start going down the path of policy-based routing or other mechanisms.

 

Or you use the FortiGate as your internal DNS server and configure it on your endpoints so they do their DNS lookups at the FortiGate. This will require you to set up the FortiGate as a slave to your existing DNS server and forward queries appropriately.

 

FortiSASE might be something you can look into as well?

Cheers,
Graham
kdavidk

It just dont make me any sence to run all multi gig traffic thru fortigate when i need to filter only 3 Mb/s separated traffic that goes to dns server. And i dont want to. There is 10 gig connectivity with severeal hundred thousand sessions instead of few hundred that goes to dns servers. Why is it required to replace my L3 device? Fortigate doesnt support bridge mode? If it is L7 filter then it should check dns packets and based of filter pass,  block or change domains ip address in the request/reply... Am i wrong?

gfleming

Of course yes transparent mode is an option. It should work in that regard.

Cheers,
Graham