Description
Enable DNS Filter safe search so that FortiGate responds with the search engine's children and school safe domain or IP address.
Users might not be aware of this filter.
Explicit contents are filtered by the search engine itself.
This feature is not 100% accurate but it can help to avoid explicit and inappropriate search results.
This feature currently supports Google, Bing, and YouTube.
Related document.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/12534/dns-safe-search
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/12534/dns-safe-search
Solution
DNS safe search.
To configure DNS Filter Safe Search from GUI:
1) Go to Security Profiles -> DNS Filter and edit or create a DNS Filter.
2) Enable Enforce 'Safe search' on Google, Bing, YouTube.
3) For Restrict YouTube Access, select 'Strict' or 'Moderate'.
# config dnsfilter profileSample.
edit "demo"
# config ftgd-dns
set options error-allow
config filters
edit 2
set category 2
next
...
end
end
set log-all-domain enable
set block-botnet enable
set safe-search enable <----- DNS Filter Safe Search option.
next
end
# dig www.bing.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.bing.com. IN A
;; ANSWER SECTION:
www.bing.com. 103 IN CNAME strict.bing.com. <-----
strict.bing.com. 103 IN A 204.79.197.220
;; Received 67 BThe DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME.
;; Time 2019-04-05 14:34:52 PDT
;; From 172.16.95.16@53(UDP) in 196.0 ms
1: date=2019-04-05 time=14:34:53 logid="1501054804" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1554500093 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="204.79.197.220" msg="DNS Safe Search enforced" action="pass" sscname="strict.bing.com" cat=41 catdesc="Search Engines and Portals"To check the DNS Filter Safe Search on a Windows machine:
2: date=2019-04-05 time=14:34:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554500092 policyid=1 sessionid=65955 srcip=10.1.100.18 srcport=36575 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=59573 qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.