In this recipe you will set up DNS filtering to block access to bandwidth consuming websites.
Following the results section, you will find instructions for changing the FortiDNS server that your FortiGate will use to verify domains, as well as troubleshooting information.
PREP 5 mins COOK 15 min TOTAL 20 mins
1. Feature visibility |
|
If DNS Filter is not listed under Security Profiles, go to System > Feature Visibility, and enable DNS Filter under Security Features. |
|
2. Creating a DNS web filter profile |
|
Go to Security Profiles > DNS Filter, and edit the default profile. Enable FortiGuard category based filter, right-click Bandwidth Consuming, and set it to Block. |
|
3. Enabling DNS filtering in a security policy |
|
All traffic that matches this policy will be redirected to the FortiDNS server. Go to Policy & Objects > IPv4 Policy, and edit the outgoing policy that allows Internet access. Under Security Profiles, enable DNS Filter and set it to default. Proxy Options and SSL Inspection profiles are automatically enabled. |
|
4. Results |
|
Open a browser using a computer on the internal network and navigate to dailymotion.co.uk. The page will be blocked. |
|
Enter the following CLI command to sniff packets with a destination URL that does not belong to the bandwidth consuming category: diagnose sniffer packet any 'port 53' and 'host 194.153.110.160' 4 The resulting output should indicate that the IP (in this example, paris.fr) was allowed by FortiGuard: interfaces=[any] filters=[port 53] 2.851628 172.20.121.56.59046 -> 208.91.112.52.53: udp 43 2.916281 208.91.112.52.53 -> 172.20.121.56.59046: udp 436 3.336945 10.1.2.102.51755 -> 208.91.112.53.53: udp 37 3.338611 208.91.112.53.53 -> 10.1.2.102.51755: udp 37 |
|
5. (Optional) Changing the FortiDNS server and port |
|
You can use the default FortiDNS server located in Sunnyvale, USA (IP address 208.91.112.220), or you can switch to the server in London, UK (IP address 80.85.69.54). Communication between your FortiGate and the FortiDNS server uses Fortinet’s proprietary DNS communication protocol.
The North American server should work in most cases, however you can switch to the European server to see if it improves latency. You can also change the port used to communicate with the FortiDNS server using the following command:
|
|
6. Troubleshooting |
|
The Security Profiles > DNS Filter menu is missingGo to System > Feature Visibility and enable DNS Filter. |
|
You configured DNS Filtering, but it is not workingVerify that DNS Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS). If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column. If the above settings are correct, verify that DNS requests are going through the policy, rather than to an internal DNS server. Also verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use the correct ports. |
|
Communication with the FortiDNS server failsVerify that the correct FortiDNS server is configured using the following diagnose command: diag test application dnsproxy 3 The resulting output should indicate that communication with the correct FortiDNS server was established. For example: FWF60D4615016384 # diag test application dnsproxy 3 vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 dns64 is disabled dns-server:208.91.112.53:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0 ready=1 dns-server:208.91.112.52:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1 dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 dns-server:80.85.69.54:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1 vfid=0, interface=wan1, ifindex=6, recursive, dns DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000 DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_s=11, v6_udp_c=16:17 DNS FD: tcp_s=24, tcp_s6=23 FQDN: hash_size=1024, current_query=1024 DNS_DB: response_buf_sz=131072 LICENSE: expiry=2016-08-15, expired=0, type=2 FDG_SERVER:208.91.112.220:53 SERVER_LDB: gid=6d61, tz=-480 FGD_REDIR:208.91.112.55 This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53 (208.91.112.220:53). Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed. Go to the CLI Console and enter the following: diagnose sniffer packet any 'port 53' and 'host 195.8.215.138' 4 The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the FortiDNS server: interfaces=[any] filters=[port 53] 2.026733 172.20.121.56.59046 -> 208.91.112.220.53: udp 117 2.027316 172.20.121.56.59046 -> 80.85.69.54.53: udp 112 2.028480 172.20.121.56.59046 -> 208.91.112.220.53: udp 116 2.029591 172.20.121.56.59046 -> 208.91.112.220.53: udp 117 |
|
FortiGuard has the wrong categorization for a websiteIf you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website. |
The post DNS Filtering appeared first on Fortinet Cookbook.