I'd like to be able to inspect within normal DNS requests passing firewall and find the record they are trying to query. For instance, clients goes to query DNS record for google.com and this request passes firewall policies. I want to know which is the destination address queried (here, google.com)
You can use DNS filtering, DNS filtering looks at the "nameserver" response, which typically occurs when you connect to a website.
When a device initiate a DNS lookup, it sends the FQDN information in the initial request. When Fortigate receives the DNS request from the client, it sends a simultaneous request to the Fortiguard SDNS servers. With Fortiguard SDNS service, there are two possible results :
1. Category is allowed, the original response is passed . 2. Category is blocked, Fortigate orverrides the site's IP address with Fortiguard override address and present a DNS error to the client.
This is very usefull, because connection to specific web page could be blocked before HTTP request is even sent.
Is there anyway to filter packets based on DNS requests. I mean, I'd like to drop DNS requests from a source to a destination if their request is looking for a specific domain or record (or is not looking for specific records)
For example, if clients are sending queries for our internal domain records, that would be OK but if the DNS query is destined for anything except *.internaldomain.net, it should be detected and blocked.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.