DNS filter

Robert_Cerny · ‎02-18-2020

Hello guys,

I went through Cookbook guide about DNS filtering and one question remains unanswered for me. It seems that DNS filter prerequisite is to use Fortinet DNS server for resolving queries, right? If so, what's the trick to get it to work with Active Directory which needs to have its own DNS server for handling local domains?

Thanks

Robert

FG-100C FG-100A FW-50B FG-60C

ede_pfau · ‎02-18-2020

I guess the setup is as usual:

- clients query the AD

- AD either answers for local names or forwards to the FGT

- FGT queries FTNT DNS

...which implies that you cannot use local names on the FGT itself.

Note that DNS filter is part of the WebFilter licence. One of the secondary DNS addresses should be non-FTNT, e.g. quad9.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Cyrille_ · ‎03-09-2020

Take care with DNS Profile inspection and implementation.

Online Documentation is partially wrong on Fortinet side, letting you think that configuration of Fortigate as a DNS Server for the LAN community is a prerequisite for DNS filtering.

Fortigate must be in fact able to query Fortiguard DNS server (so uplink policies,Vdom or Firewall must allow its traffic to public DNS servers).

Fortiguard DNS Servers used internally by the DNS Filter service are automatically fetched against an initial query against 208.91.112.220 and can be displayed using following debug command:

(global) # diagnose test application dnsproxy 3

[size="2"][...][/size]

dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:1.1.1.1:53 tz=0 req=646 to=0 res=646 rt=2 secure=0 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:1.0.0.1:53 tz=0 req=387 to=0 res=387 rt=7 secure=0 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:62.209.40.75:53 tz=60 req=598 to=0 res=598 rt=2 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:173.243.138.221:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:45.75.200.89:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:111.108.191.92:53 tz=540 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:149.5.232.53:53 tz=60 req=519 to=0 res=519 rt=3 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0 dns-server:140.174.22.53:53 tz=-300 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0

[size="2"][...][/size]

Initially polled Fortiguard server being available in default configuration is probably what was referred by the technical writer, that confuse everyone in DNS filter implementation.

(global) # get sys fortiguard | grep sdns sdns-server-ip : "208.91.112.220" sdns-server-port : 53

Fortigate can classify and block/pass DNS query/reply for DNS traffic passing THROUGH the Fortigate.

So a DNS Profile applies only if a Client would query a destination server on the other side of the policy.

Then it would itself query a list of Fortiguard DNS Secure servers for the same record to evaluate its Category, and be ready to manipulate the DNS Reply from the real server once returned.

Interesting thing being that even if a DNS query is sent to a fake DNS server on Internet, it Fortigate would send itself a DNS query to these servers to have domain category evaluated.

-> Fortigate System DNS are used unsecurely (Cloudflare 1.1.1.1 & 1.0.0.1 on my previous diag output) for DNS resolution of system activities, and does not have role in DNS Filter classification.

-> Fortiguard DNS servers are used through Secure DNS query, to evaluate Domain category, and cannot be used freely outside a Fortigate. This to prevent abuse of the Fortiguard database naturally.

If having then an internal AD server acting as Local DNS server for workstations, it would itself query a public DNS server (or root servers) to have resolution done, and would be Blocked (or response replaced), when passing through the Policy on the Fortigate.