Hot!DNS Web Filtering Requires Using Fortinet DNS Servers?

Author
tanr
Platinum Member
  • Total Posts : 634
  • Scores: 21
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2018/07/13 10:28:58 (permalink)
0

DNS Web Filtering Requires Using Fortinet DNS Servers?

Per http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_DNSInspectionProfile.htm?Highlight=dns%20filter DNS Web Filtering (dnsfilter profile, the Fortiguard Category based filter section of DNS Filter in the GUI) will ONLY work if one uses Fortinet's DNS servers.  The same documentation implies that DNS blocking of Botnet C&C and Static URL domains work without needing to use Fortinet DNS servers.
 
Could someone confirm this?  We really can't use the Fortinet DNS servers because they have been too slow to be usable recently.
 
Also, anybody know if the DNS Web Filtering category check overrides the URL based Web Filter?  It seems like it does, which means when I get a DNS timeout and allow the DNS request, it bypasses the Web Filter that would have caught it.  Haven't done a detailed test of this yet, but would be helpful to get confirmation.
#1

5 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1221
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/13 11:03:12 (permalink)
    0
    Some of our FG1500Ds have our own DNS server configured as the system DNS and FortiGuard services including Category Filtering are working fine.
    Their online manual states URL Filtering comes first before Category Filtering. Scroll down to "Order of web filtering" in below:
    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/Web%20filter%20concepts.htm
     
     
     
    #2
    tanr
    Platinum Member
    • Total Posts : 634
    • Scores: 21
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/13 11:34:18 (permalink)
    0
    Thanks Toshi.  That's helpful, but I'm not sure if we're comparing the same thing.  Two questions to clarify, if you have the time.
     
    It looks like the "Order of Web Filtering" link you posted just refers to the sequence within web filtering, not within DNS filtering?  
     
    Related to using your own DNS server, you're using the DNS Filter DNS-Based web filtering using Fortiguard Categories and that's working (as in http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/DNS%20Filter/dns_intro.htm)?  Or are you using the Web Filter Fortiguard Categories?
     
    Thanks for your help.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1221
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/13 11:47:50 (permalink)
    0
    I realized you specifically talked about DNS filtering after I posted. My comment was for Web Filtering as you pointed out.
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 1221
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/19 22:46:24 (permalink)
    0
    I just read NSE4 study material. It says when a client sends out DNS request to 8.8.8.8, FGT intersepts it and sends it to both 8.8.8.8 and FortiGuard SDNS configured under "config sys fortiguard" and "set sdns-server-ip". Fortigurd SDNS returns IP+rating at the same time 8.8.8.8 returns a normal DNS response toward the FGT. Then based on the rading, the FGT decides the action based on the category action config in the profile.
    And a cookbook [https://cookbook.fortinet.com/dns-filtering-60/] says the SDNS server IP can be either 208.91.112.220 (Sunnyvale, CA, USA) or  80.85.69.54(London, UK).
    #5
    mhwloo
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/06 11:13:28
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/08/06 11:42:17 (permalink)
    0
    My experience with this is that it just needs to be an external DNS server.  If you use internal, it won't hit the firewall to run the policy.  Then you need the rule to have the DNS port.  So I tested various web filtering policies and the DNS policy didn't kick in, but that's because the rules only had HTTP(S).  I made a separate rule with only DNS going to 8.8.8.8, and applied the DNS filtering policy and the policy worked.
    #6
    Jump to:
    © 2018 APG vNext Commercial Version 5.5