Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II

DNS Web Filtering Requires Using Fortinet DNS Servers?

Per http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_DNSInspectionProfile... DNS Web Filtering (dnsfilter profile, the Fortiguard Category based filter section of DNS Filter in the GUI) will ONLY work if one uses Fortinet's DNS servers.  The same documentation implies that DNS blocking of Botnet C&C and Static URL domains work without needing to use Fortinet DNS servers.

 

Could someone confirm this?  We really can't use the Fortinet DNS servers because they have been too slow to be usable recently.

 

Also, anybody know if the DNS Web Filtering category check overrides the URL based Web Filter?  It seems like it does, which means when I get a DNS timeout and allow the DNS request, it bypasses the Web Filter that would have caught it.  Haven't done a detailed test of this yet, but would be helpful to get confirmation.

9 REPLIES 9
Toshi_Esumi
Esteemed Contributor III

Some of our FG1500Ds have our own DNS server configured as the system DNS and FortiGuard services including Category Filtering are working fine.

Their online manual states URL Filtering comes first before Category Filtering. Scroll down to "Order of web filtering" in below:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/Web%20filter%20concepts.htm

 

 

 

tanr
Valued Contributor II

Thanks Toshi.  That's helpful, but I'm not sure if we're comparing the same thing.  Two questions to clarify, if you have the time.

 

It looks like the "Order of Web Filtering" link you posted just refers to the sequence within web filtering, not within DNS filtering?  

 

Related to using your own DNS server, you're using the DNS Filter DNS-Based web filtering using Fortiguard Categories and that's working (as in http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/DNS%20Filter/dns...)?  Or are you using the Web Filter Fortiguard Categories?

 

Thanks for your help.

Toshi_Esumi
Esteemed Contributor III

I realized you specifically talked about DNS filtering after I posted. My comment was for Web Filtering as you pointed out.

Toshi_Esumi
Esteemed Contributor III

I just read NSE4 study material. It says when a client sends out DNS request to 8.8.8.8, FGT intersepts it and sends it to both 8.8.8.8 and FortiGuard SDNS configured under "config sys fortiguard" and "set sdns-server-ip". Fortigurd SDNS returns IP+rating at the same time 8.8.8.8 returns a normal DNS response toward the FGT. Then based on the rading, the FGT decides the action based on the category action config in the profile.

And a cookbook [https://cookbook.fortinet.com/dns-filtering-60/] says the SDNS server IP can be either 208.91.112.220 (Sunnyvale, CA, USA) or  80.85.69.54(London, UK).

mhwloo
New Contributor

My experience with this is that it just needs to be an external DNS server.  If you use internal, it won't hit the firewall to run the policy.  Then you need the rule to have the DNS port.  So I tested various web filtering policies and the DNS policy didn't kick in, but that's because the rules only had HTTP(S).  I made a separate rule with only DNS going to 8.8.8.8, and applied the DNS filtering policy and the policy worked.

seadave
Contributor III

Having this same question.  Running 6.0.3.  We have our two AD based DNS IPs listed for DNS on the Gate with our internal domain indicated also.  Guide indicates this will search internally for hosts first and then external.  Our logs indicates this is what happens but of course all queries go through the internal DNS and they use forwarders (set to ISP DNS) for external lookups.

 

With this config, Fortiguard works and checks out via port 53 lookups.

 

We have a policy that restricts our AD DNS servers.  Today we applied a DNS Filter policy to it as a way to get add'l DNS logging.  Seems to be working fine, and FAZ logs show it is returning category information.

 

The confusion mentioned above is easy to encounter.

 

Networking/DNS indicates: "FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP."

 

Note: I would add that if you are using Active Directory, these settings should be your AD DNS IPs IF you want to be able to resolve internal hostnames in policies.  Put your ISP DNS as forwarders on the internal AD DNS Servers.

 

Security Profiles/DNS Filter indicates: "When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups."

 

Using the following command via the CLI:

 

show full | grep -f sdns

 

I was able to confirm that yes, our Gate is configured to use the US FortiGuard server.

 

 

nbctcp
New Contributor III

Interesting comment

I agree with you to use Internal AD as main DNS server

Fortiguard DNS, US based only. If I am in Asia, that will take time

 

QUESTIONS: 1. but then doc said DNS Web filtering won't work so what alternative if I want to use AD as DNS but DNS Web filtering work too should I do this AD forwarder will be FortiGuard DNS ip

tq

 

dfollis wrote:

Having this same question.  Running 6.0.3.  We have our two AD based DNS IPs listed for DNS on the Gate with our internal domain indicated also.  Guide indicates this will search internally for hosts first and then external.  Our logs indicates this is what happens but of course all queries go through the internal DNS and they use forwarders (set to ISP DNS) for external lookups.

 

With this config, Fortiguard works and checks out via port 53 lookups.

 

We have a policy that restricts our AD DNS servers.  Today we applied a DNS Filter policy to it as a way to get add'l DNS logging.  Seems to be working fine, and FAZ logs show it is returning category information.

 

The confusion mentioned above is easy to encounter.

 

Networking/DNS indicates: "FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP."

 

Note: I would add that if you are using Active Directory, these settings should be your AD DNS IPs IF you want to be able to resolve internal hostnames in policies.  Put your ISP DNS as forwarders on the internal AD DNS Servers.

 

Security Profiles/DNS Filter indicates: "When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups."

 

Using the following command via the CLI:

 

show full | grep -f sdns

 

I was able to confirm that yes, our Gate is configured to use the US FortiGuard server.

 

 

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
seadave
Contributor III

As mentioned, I would do the following:

 

1. If you are using AD, configure Fortigate DNS settings to use your two primary AD DNS server IPs via the GUI.

2. Use the console command "show full | grep -f sdns" to confirm that snds server IP (not visible via the GUI) is set to a Fortigate IP.  You may be able to locate one that is non-US if distance is a concern.  Opening a ticket with Fortinet should be able to assist.

3. Test your policies to see if they work.  We have done the following, we use Web Filters for user traffic, but DNS filters for DNS traffic.  Seems to be working well.  In other words, you should have a dedicated policy for your outbound DNS queries to protect those lookups.

AlexFeren
New Contributor III

Late on the train... Would it be correct to conclude that Fortigate DNS Filter is an DNS intercept feature and won't filter client DNS resolution requests sent to DNS Server on Fortigate itself?

Labels
Top Kudoed Authors