Using DNS Filters to block external requests & vDOM based DNS for Explicit Proxy

Using DNS Filters to block external requests & vDOM based DNS for Explicit Proxy

Today I wanted to share some experimentation's I've been doing on a few FortiOS features: the FortiOS DNS Server, another DNS related feature called vDOM DNS and the FortiOS DNS Filtering feature.

This article ideas and goal are resumed within the following few points:

  • Segment and control DNS resolutions.
  • Provide local domains only recursive DNS resolutions for endpoints.
  • Redirect/Block external DNS resolutions on endpoints.
  • Configure external DNS resolution on a given vDOM so that the Explicit Proxy can uniquely resolve external resources.

The idea is that clients/endpoints would be able to resolve through a FortiOS based DNS server any and all LAN/local domains. This while denying direct DNS requests upon anything else.

In order to provide external DNS resolutions and internet connectivity, our conveyor here will be the FortiOS Explicit Proxy. The Explicit Proxy will do DNS resolutions on behalf of our clients/endpoints.

Below you'll find a view of the configuration which setup is based on this article:

Each segments here represents a FortiGate Virtual Domain. Now with such a configuration, let's focus on DNS settings within the LAN segment for example.

In this segment, either you'd be using a FortiGate local DNS servers in non-recursive mode, which will lookup local (to the FGT) DNS records and fail if not found or you'd set it up in recursive mode which will lookup local (to the FGT) DNS records and forward to the FortiGate system DNS if the request cannot be locally satisfied.

Well, in a more complex scenario where you'd want to resolve local domains across extended networks, with DNS databases hosted on different FortiGate's or systems etc, you'd want to use the recursive option. Although, the recursive option has one draw back so to speak. In recursive mode, your DNS server will forward any non resolved requests further up the FortiGate system DNS in order to gather a reply. That means that any name resolution, depending on your configuration, might be successful.

This might not be wanted. Personally, I'd rather have local domains DNS resolutions solely on my endpoints thus relying on the FortiOS Explicit Proxy for anything beyond my perimeter.

In order to achieve a working configuration, I've set in place on the DNS Server seated in my root vDOM, the main DNS server in my configuration, the following DNS Filters:

DNS filtering has the following features:

  • FortiGuard Filtering: filters the DNS request based on the FortiGuard domain rating.
  • Botnet C&C domain blocking: blocks the DNS request for the known botnet C&C domains.
  • External dynamic category domain filtering: allows you to define your own domain category.
  • DNS safe search: enforces Google, Bing, and YouTube safe addresses for parental controls.
  • Local domain filter: allows you to define your own domain list to block or allow.
  • External IP block list: allows you to define an IP block list to block resolved IPs that match this list.
  • DNS translation: maps the resolved result to another IP that you define.

Hence, each endpoints within the LAN vDOM will receive the main root DNS server information through DHCP. With the aforementioned DNS Filters in place, any non *.lan/*.dmz requests will be redirected to a specific IP (on which you might want to run a small web server informing about this redirection). Therefore the only possible resolutions are our set Local Domains.

Now, in order to be able to reach any outbound resources, we'll use a neat feature from the FortiGate arsenal. Within a FortiGate you're able to specify a per vDOM DNS server setting. This is configured from the CLI like this:

    FGT (vPROXY) # conf sys vdom-dns

    FGT (vdom-dns) # sh
    config system vdom-dns
        set vdom-dns enable
        set primary
        set secondary
        set ssl-certificate ''
        set source-ip x.x.x.x

What this provides is that for any users behind internal vDOMs (DMZ/LAN/VPN) using our Explicit Proxy (vPROXY), any proxy sent requests will be resolved from within the specific vDOM our Explicit Proxy sits in. In my current scheme, the vPROXY vDOM.

And here is an example illustrating this:

As you can see, our endpoint cannot directly resolve although through the Explicit Proxy, any outbound requests is successfully carried by the Explicit Proxy itself. I'm not showing it here but of course any local domains resolutions are successful. This either on the current FortiGate or across IPsec extended networks.

In order to troubleshoot your DNS Filtering you can gather the current setup from the FortiGate CLI:

sudo global diagnose test application dnsproxy 3

The Fortinet DNS Filter official documentation is found here.

With such a setup you could also ensure that within the vWAN vDOM in my example above; the source ip able to perform any external DNS requests is our Explicit Proxy uniquely and of course log all of these requests and apply further DNS Filterings if so needed/wanted.

Thanks for the read, any questions just email me below.

Image credit: The Twentieth Century Fox Film Corporation

Show Comments