Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Read inside DNS requests

Hi, 

I'd like to be able to inspect within normal DNS requests passing firewall and find the record they are trying to query. For instance, clients goes to query DNS record for google.com and this request passes firewall policies. I want to know which is the destination address queried (here, google.com)

 

Is that possible with FortiOS?

 

Regards,

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
1 Solution
Yurisk
Valued Contributor

Sure, just do a packet sniffer on CLI (or even in the GUI in versions 7.2 or newer) and it will show you contents of the DNS packets:

dia sni pa any 'port 53' 6

The sniffer filter syntax is the one of Tcpdump.

 

I recorded a video of how to do it in the GUI (7.2 or newer only, in older versions you have to sniff and then download packets to the local host, you cannot see packets' content in the Fortigate GUI itself): https://yurisk.info/2022/04/21/fortios-7-2-new-improved-packet-sniffer-in-gui/ 

 

Cheers

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
6 REPLIES 6
syordanov
Staff
Staff

Dear mhdganji,


You can use DNS filtering, DNS filtering looks at the "nameserver" response, which typically occurs when you connect to a website.

When a device initiate a DNS lookup, it sends the FQDN information in the initial request. When Fortigate receives the DNS request from the client, it sends a simultaneous request to the Fortiguard SDNS servers. With Fortiguard SDNS service, there are two possible results :

1. Category is allowed, the original response is passed .
2. Category is blocked, Fortigate orverrides the site's IP address with Fortiguard override address and present a DNS error to the client.


This is very usefull, because connection to specific web page could be blocked before HTTP request is even sent.

Some usefull KB:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/968395/dns-filtering
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/572589/how-to-configure-and-apply-a-dns-...
https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/605868/dns-filter

Best regards,

Fortinet

.
mhdganji

Thanks but this is not what I was looking for. DNS requests are just passing firewall from client to a MS DNS.

I used packet filtering and exported the log, viewed it in wireshark and done.

 

I wonder if there is any method to see these logs inside fortigate box without wireshark or 3rd party software.

 

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
syordanov
Staff
Staff

Hello mhdganji,

No, there is no other way to see these logs expect if you have DNS filtering.

 

.
Yurisk
Valued Contributor

Sure, just do a packet sniffer on CLI (or even in the GUI in versions 7.2 or newer) and it will show you contents of the DNS packets:

dia sni pa any 'port 53' 6

The sniffer filter syntax is the one of Tcpdump.

 

I recorded a video of how to do it in the GUI (7.2 or newer only, in older versions you have to sniff and then download packets to the local host, you cannot see packets' content in the Fortigate GUI itself): https://yurisk.info/2022/04/21/fortios-7-2-new-improved-packet-sniffer-in-gui/ 

 

Cheers

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
mhdganji
Contributor II

So far so good. Another question:

 

Is there anyway to filter packets based on DNS requests. I mean, I'd like to drop DNS requests from a source to a destination if their request is looking for a specific domain or record (or is not looking for specific records)

 

For example, if clients are sending queries for our internal domain records, that would be OK but if the DNS query is destined for anything except *.internaldomain.net, it should be detected and blocked.

 

Appreciate your answers.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
mhdganji

Using DNS static domain filtering I could do that ...

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Labels
Top Kudoed Authors