Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

DNS Filtering not available in proxy policy rules


In a VDOM used to proxy clients request (acts as a proxy server on 8080), although DNS filter is enabled in feature visibility, but is not displayed (everything is there, WAF, IPS, Web, ...) but DNS filter is not present


In the other VDOMs, such as a VDOM linked to the one mentioned above which has direct Internet access, DNS filter is present but as I said in Proxy polices in our Proxy VDOM serving clients request it is not present.


Thanks in advance for your help



1 Solution

It is not that FortiOS explicit proxy doesn't support it, it is that proxy clients do not pass their DNS requests through the proxy. They don't resolve the FQDNs of websites requested through the proxy at all.


When a proxy client wants to connect to through the proxy, it does not do any DNS lookup, it directly sends a request to the proxy:


DNS lookup is then handled by the proxy itself. (so the proxy itself can connect to the desired server to facilitate the connection)


Feel free to install Wireshark on some test client of yours to verify this client behaviour yourself. Focus on DNS traffic (UDP/53) and proxy traffic (by default TCP/8080 in FortiOS, but maybe you changed it).


As such, try using webfilter profile in the proxy policy, making sure you're blocking the Malicious Websites category. I'm not sure if this is 100% the case, but I have checked a handful of FQDNs from the botnet list, and they were all categorized as "Malicious Websites" by the FortiGuard webfilter rating.

[ corrections always welcome ]

View solution in original post




DNS filter is not supported with Explicit Proxy. We can see the supported features in the following documentation.







 I cannot figure out why this is not supported. The device is working as a proxy and does the query DNS task do it can do the filtering. Am I wrong here?


With explicit proxy, the FortiGate would be doing the DNS lookup and not the client. So a policy to scan DNS requests traversing the firewall wouldnt make sense.


Sorry for making it long but I still don't get it why it's not possible anyway. Let's assume the client is requesting which is a C&C and there is a DNS filter on the policy. When the fortigate is serving the request, finds the DNS filter rule enabled and check the IP is in botnet database so it answers with the portal or any configured address. I know it sounds strange and not straight forward but seams feasible to implement. 


Firstly, i cannot comment precisely on why something is a feature or not.


I believe the scenario you refer to would be possible with a workaround. 1 example would be to use a second VDOM for the DNS filtering. 



I did this but not sure if you meant exactly the way I went


I created a second vdom, made a vdom link and forced the proxy requests go to the second one which is connected and NAT'ed directly

Then I defined a policy for the second one including DNS filter


not so customizable and selective but anyway it works for all the requests.


what do you think about the solution?


Yes, this is solution i was referring to. 

As always, it should be thoroughly tested to ensure it meets your needs. 


Thanks and BTW,


what if we use the device itself as the DNS server? Does fortigate (or is it possible to config it) apply DNS filtering rules when fetching results from its upstream servers?


Basically, the request has to pass through a firewall policy. If it passes through another VDOM, it will have to pass through another policy and DNS filter can be applied. If it goes out directly to the internet from the VDOM it will not have to match a policy and therefore you cannot apply the DNS profile.