Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Web filter Vs. DNS filter

What is the difference?  Any pro's con's to one or the other?


Why would you need DNS filtering if you're already doing web filtering?


If you do not use the FortiGate as a DNS server does DNS filter do anything?

1 Solution
New Contributor

Here a practical example :

In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.

with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).

Let say for example, you want to block but allow Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to as a whole.


web filtering filters based on url and because you will be able to block but allow


Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?

What will happen to your policy rules? Does it go to allow or deny everything?




View solution in original post

New Contributor III

Hi everyone,


Old post but I am wondering the same. If I understand well, Web filter gives you more control over the things you can allow or block, in addition you don't need to use the FortiGuard DNS servers, so you don't have this limitation. Then, my question is, why do you need DNS filter if you can do the same or better with Web filter? Any example?




New Contributor

I've been tasked with implementing a solution for web filtering and web usage reporting and so I thought I'd look at something like OpenDNS Umbrella to throw in that DNS layer protection as well. I've done the demo, I've read the spec sheets, and I'm fairly satisfied with the results, especially given as our company is only 300 users dense. Price is ok.......My question is: Is there a better (and easy to implement/manage) solution for web filtering/usage reporting out there (besides Websense -- been there done that) that may or may not also cover DNS layer protection?


Talking about the DNSFilter, are there separate logs to show it working? Or are logged with the webfilter logs ?


DNS Filter Concepts:

  • With the release of FortiOS 5.4.0, users configure the Domain Name System (DNS) Filter security profile independent of the Web Filter security profile.[/ul]

    Web Filter Concepts:

  • Web filtering is a means of controlling the content that an Internet user is able to view. With the popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security.[/ul]
  • Syed_Uzair_Ahmed
    New Contributor

    I have been using FGT2000 in my environment in explicit proxy mode. And I am unable to block malicious dns request. Is there any possibility that I can able to block and restrict malicious dns traffic on my firewall.


    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Top Kudoed Authors