DNS web filtering: setup and server selection

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe you will set up FortiGuard DNS web filtering to block access to bandwidth consuming websites. As part of the setup you will be able to select the FortiGuard Web Filtering server that your FortiGate will use to lookup URLs.

1. Selecting the FortiGuard DNS web filtering server (optional)

You can use the default FortiGuard web filtering server located in Sunnyvale, USA (IP address 208.91.112.220), or you can switch to the server in London, UK (IP address 80.85.69.54). Communication between your FortiGate and the FortiGuard DNS web filtering server uses Fortinet’s proprietary DNS communication protocol.

config system fortiguard
   set webfilter-sdns-server-ip 208.91.112.220
end

The North American server should work in most cases, however you can switch to the European server to see if it improves latency.

2. Creating a DNS web filter profile

Go to Security Profiles > Web Filter, and edit the default web filter profile.

Set Inspection Mode to DNS.

Enable FortiGuard Categories, right-click Bandwidth Consuming, and set it to Block.

3. Enabling web filtering in a security policy

Creating a firewall policy and adding the DNS profile to it will mean all traffic that matches the policy will be redirected to the FortiGuard DNS web filtering server.

Go to Policy & Objects > IPv4, and edit the outgoing policy that allows Internet access.

Under Security Profiles, enable Web Filter and set it to default.

4. Results

Verify that the correct FortiGuard DNS web filtering server is configured using the following diagnose command:

diag test application dnsproxy 3

The resulting output should indicate that communication with the correct DNS server was established. For example:

FWF60D4615016384 # diag test application dnsproxy 3
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1
dns64 is disabled
dns-server:208.91.112.53:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0 ready=1 
dns-server:208.91.112.52:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1 
dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1
dns-server:80.85.69.54:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1
vfid=0, interface=wan1, ifindex=6, recursive, dns
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_s=11, v6_udp_c=16:17
DNS FD: tcp_s=24, tcp_s6=23
FQDN: hash_size=1024, current_query=1024
DNS_DB: response_buf_sz=131072
LICENSE: expiry=2016-08-15, expired=0, type=2
FDG_SERVER:208.91.112.220:53
SERVER_LDB: gid=6d61, tz=-480
FGD_REDIR:208.91.112.55 

This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53 (208.91.112.220:53).

Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed.
Go to the CLI Console and enter the following:

diagnose sniffer packet any 'port 53' and 'host 195.8.215.138' 4

The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the North American server that was configured in step 1:

interfaces=[any]
filters=[port 53]
2.026733 172.20.121.56.59046 -> 208.91.112.220.53: udp 117
2.027316 172.20.121.56.59046 -> 80.85.69.54.53: udp 112
2.028480 172.20.121.56.59046 -> 208.91.112.220.53: udp 116
2.029591 172.20.121.56.59046 -> 208.91.112.220.53: udp 117

Open a browser and navigate to dailymotion.co.uk. The page will be blocked.

Enter the following CLI command to sniff packets with the destination URL that does not belong to the bandwidth consuming category:

diagnose sniffer packet any 'port 53' and 'host 194.153.110.160' 4

The resulting output should indicate that the IP (in this example, paris.fr) was allowed by FortiGuard:

interfaces=[any]
filters=[port 53]
2.851628 172.20.121.56.59046 -> 208.91.112.52.53: udp 43
2.916281 208.91.112.52.53 -> 172.20.121.56.59046: udp 436
3.336945 10.1.2.102.51755 -> 208.91.112.53.53: udp 37
3.338611 208.91.112.53.53 -> 10.1.2.102.51755: udp 37
Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin