Hot!DNS Web Filtering Requires Using Fortinet DNS Servers?

Author
tanr
Platinum Member
  • Total Posts : 681
  • Scores: 31
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2018/07/13 10:28:58 (permalink)
0

DNS Web Filtering Requires Using Fortinet DNS Servers?

Per http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_DNSInspectionProfile.htm?Highlight=dns%20filter DNS Web Filtering (dnsfilter profile, the Fortiguard Category based filter section of DNS Filter in the GUI) will ONLY work if one uses Fortinet's DNS servers.  The same documentation implies that DNS blocking of Botnet C&C and Static URL domains work without needing to use Fortinet DNS servers.
 
Could someone confirm this?  We really can't use the Fortinet DNS servers because they have been too slow to be usable recently.
 
Also, anybody know if the DNS Web Filtering category check overrides the URL based Web Filter?  It seems like it does, which means when I get a DNS timeout and allow the DNS request, it bypasses the Web Filter that would have caught it.  Haven't done a detailed test of this yet, but would be helpful to get confirmation.
#1

8 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1643
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/13 11:03:12 (permalink)
    0
    Some of our FG1500Ds have our own DNS server configured as the system DNS and FortiGuard services including Category Filtering are working fine.
    Their online manual states URL Filtering comes first before Category Filtering. Scroll down to "Order of web filtering" in below:
    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/Web%20filter%20concepts.htm
     
     
     
    #2
    tanr
    Platinum Member
    • Total Posts : 681
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/13 11:34:18 (permalink)
    0
    Thanks Toshi.  That's helpful, but I'm not sure if we're comparing the same thing.  Two questions to clarify, if you have the time.
     
    It looks like the "Order of Web Filtering" link you posted just refers to the sequence within web filtering, not within DNS filtering?  
     
    Related to using your own DNS server, you're using the DNS Filter DNS-Based web filtering using Fortiguard Categories and that's working (as in http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/DNS%20Filter/dns_intro.htm)?  Or are you using the Web Filter Fortiguard Categories?
     
    Thanks for your help.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1643
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/13 11:47:50 (permalink)
    0
    I realized you specifically talked about DNS filtering after I posted. My comment was for Web Filtering as you pointed out.
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 1643
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/07/19 22:46:24 (permalink)
    0
    I just read NSE4 study material. It says when a client sends out DNS request to 8.8.8.8, FGT intersepts it and sends it to both 8.8.8.8 and FortiGuard SDNS configured under "config sys fortiguard" and "set sdns-server-ip". Fortigurd SDNS returns IP+rating at the same time 8.8.8.8 returns a normal DNS response toward the FGT. Then based on the rading, the FGT decides the action based on the category action config in the profile.
    And a cookbook [https://cookbook.fortinet.com/dns-filtering-60/] says the SDNS server IP can be either 208.91.112.220 (Sunnyvale, CA, USA) or  80.85.69.54(London, UK).
    #5
    mhwloo
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/06 11:13:28
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2018/08/06 11:42:17 (permalink)
    0
    My experience with this is that it just needs to be an external DNS server.  If you use internal, it won't hit the firewall to run the policy.  Then you need the rule to have the DNS port.  So I tested various web filtering policies and the DNS policy didn't kick in, but that's because the rules only had HTTP(S).  I made a separate rule with only DNS going to 8.8.8.8, and applied the DNS filtering policy and the policy worked.
    #6
    seadave
    Expert Member
    • Total Posts : 318
    • Scores: 48
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2019/05/21 18:18:23 (permalink)
    0
    Having this same question.  Running 6.0.3.  We have our two AD based DNS IPs listed for DNS on the Gate with our internal domain indicated also.  Guide indicates this will search internally for hosts first and then external.  Our logs indicates this is what happens but of course all queries go through the internal DNS and they use forwarders (set to ISP DNS) for external lookups.
     
    With this config, Fortiguard works and checks out via port 53 lookups.
     
    We have a policy that restricts our AD DNS servers.  Today we applied a DNS Filter policy to it as a way to get add'l DNS logging.  Seems to be working fine, and FAZ logs show it is returning category information.
     
    The confusion mentioned above is easy to encounter.
     
    Networking/DNS indicates: "FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP."
     
    Note: I would add that if you are using Active Directory, these settings should be your AD DNS IPs IF you want to be able to resolve internal hostnames in policies.  Put your ISP DNS as forwarders on the internal AD DNS Servers.
     
    Security Profiles/DNS Filter indicates: "When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups."
     
    Using the following command via the CLI:
     
    show full | grep -f sdns
     
    I was able to confirm that yes, our Gate is configured to use the US FortiGuard server.
     
     
    post edited by seadave - 2019/05/21 18:21:20

    Attached Image(s)

    #7
    nbctcp
    Bronze Member
    • Total Posts : 30
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/03/05 04:48:26
    • Location: Indonesia
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2019/09/11 20:50:14 (permalink)
    0
    Interesting comment
    I agree with you to use Internal AD as main DNS server
    Fortiguard DNS, US based only. If I am in Asia, that will take time
     
    QUESTIONS:
    1. but then doc said DNS Web filtering won't work
    so what alternative if I want to use AD as DNS but DNS Web filtering work too
    should I do this
    AD forwarder will be FortiGuard DNS ip
    tq
     
    dfollis
    Having this same question.  Running 6.0.3.  We have our two AD based DNS IPs listed for DNS on the Gate with our internal domain indicated also.  Guide indicates this will search internally for hosts first and then external.  Our logs indicates this is what happens but of course all queries go through the internal DNS and they use forwarders (set to ISP DNS) for external lookups.
     
    With this config, Fortiguard works and checks out via port 53 lookups.
     
    We have a policy that restricts our AD DNS servers.  Today we applied a DNS Filter policy to it as a way to get add'l DNS logging.  Seems to be working fine, and FAZ logs show it is returning category information.
     
    The confusion mentioned above is easy to encounter.
     
    Networking/DNS indicates: "FortiGate includes default DNS server addresses. However, you should change these addresses to ones that your Internet Service Provider (ISP) provides. The defaults are DNS proxies and are not as reliable as those from your ISP."
     
    Note: I would add that if you are using Active Directory, these settings should be your AD DNS IPs IF you want to be able to resolve internal hostnames in policies.  Put your ISP DNS as forwarders on the internal AD DNS Servers.
     
    Security Profiles/DNS Filter indicates: "When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups."
     
    Using the following command via the CLI:
     
    show full | grep -f sdns
     
    I was able to confirm that yes, our Gate is configured to use the US FortiGuard server.
     
     




    #8
    seadave
    Expert Member
    • Total Posts : 318
    • Scores: 48
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: DNS Web Filtering Requires Using Fortinet DNS Servers? 2019/09/11 22:12:21 (permalink)
    0
    As mentioned, I would do the following:
     
    1. If you are using AD, configure Fortigate DNS settings to use your two primary AD DNS server IPs via the GUI.
    2. Use the console command "show full | grep -f sdns" to confirm that snds server IP (not visible via the GUI) is set to a Fortigate IP.  You may be able to locate one that is non-US if distance is a concern.  Opening a ticket with Fortinet should be able to assist.
    3. Test your policies to see if they work.  We have done the following, we use Web Filters for user traffic, but DNS filters for DNS traffic.  Seems to be working well.  In other words, you should have a dedicated policy for your outbound DNS queries to protect those lookups.
    #9
    Jump to:
    © 2019 APG vNext Commercial Version 5.5