Description
Enable DNS Filter safe search so that FortiGate responds with the search engine's children and school safe domain or IP address.
Users might not be aware of this filter.
Explicit contents are filtered by the search engine itself.
This feature is not 100% accurate but it can help to avoid explicit and inappropriate search results.
This feature currently supports Google, Bing, and YouTube.
Related document.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/12534/dns-safe-search
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/12534/dns-safe-search
Solution
DNS safe search.
To configure DNS Filter Safe Search from GUI:
1) Go to Security Profiles -> DNS Filter and edit or create a DNS Filter.
2) Enable Enforce 'Safe search' on Google, Bing, YouTube.
3) For Restrict YouTube Access, select 'Strict' or 'Moderate'.
To configure DNS Filter Safe Search from CLI.
# config dnsfilter profileSample.
edit "demo"
# config ftgd-dns
set options error-allow
config filters
edit 2
set category 2
next
...
end
end
set log-all-domain enable
set block-botnet enable
set safe-search enable <----- DNS Filter Safe Search option.
next
end
To see an example of how this works, enable this option.
From the internal network PC, use a command line tool such as 'dig' or 'nslookup' to do a DNS query on www.bing.com.
For example:
# dig www.bing.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.bing.com. IN A
;; ANSWER SECTION:
www.bing.com. 103 IN CNAME strict.bing.com. <-----
strict.bing.com. 103 IN A 204.79.197.220
;; Received 67 BThe DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME.
;; Time 2019-04-05 14:34:52 PDT
;; From 172.16.95.16@53(UDP) in 196.0 ms
The user's web browser then connects to this address with the same search engine GUI but any explicit content search is filtered out.
Check the DNS Filter log for the message DNS Safe Search enforced.
To check the DNS Filter Safe Search log from CLI.
1: date=2019-04-05 time=14:34:53 logid="1501054804" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1554500093 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="204.79.197.220" msg="DNS Safe Search enforced" action="pass" sscname="strict.bing.com" cat=41 catdesc="Search Engines and Portals"To check the DNS Filter Safe Search on a Windows machine:
2: date=2019-04-05 time=14:34:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554500092 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN"
Safe Search Disabled:
Safe Search Enabled:
Additional information.
For each search engine's safe search specifications, see its specification page:
- https://help.bing.microsoft.com/#apex/18/en-US/10003/0
- https://support.google.com/websearch/answer/510?co=GENIE.Platform%3DDesktop&hl=en
- https://support.google.com/youtube/answer/174084?co=GENIE.Platform%3DDesktop&hl=en
For each search engine's safe search specifications, see its specification page:
- https://help.bing.microsoft.com/#apex/18/en-US/10003/0
- https://support.google.com/websearch/answer/510?co=GENIE.Platform%3DDesktop&hl=en
- https://support.google.com/youtube/answer/174084?co=GENIE.Platform%3DDesktop&hl=en
