|
The next outputs and configuration will rely on this topology.
The article will describe the path of a user-filtered DNS request through the DNS filter feature of FortiOS.
Used firewall policy:
config firewall policy
edit 1
set name "Internet_Access"
set srcintf "port2" --> LAN interface
set dstintf "port1" --> WAN interface
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set dnsfilter-profile "test-default"
set logtraffic all
set nat enable
next
end
Used DNS filter:
config dnsfilter profile
edit "test-default"
config ftgd-dns
config filters
edit 1
set category 12
next
... (truncated)
edit 4
set category 8
set action block
next
edit 5
set category 9
next
...(truncated)
set category 14
set action block
next
...(truncated)
edit 17
set category 25
set action block
next
edit 18
set category 26
set action block
next
edit 19
set category 61
set action block
next
edit 20
set category 86
set action block
next
edit 21
set category 88
set action block
next
edit 22
set category 90
set action block
next
edit 23
set category 91
set action block
next
edit 24
next
end
end
set log-all-domain enable
next
end
This configuration will block any streaming website and redirect customers to the FortiGuard block web portal.
Here is a PCAP of the DNS server response, pay attention to the IP / hostname mapping.
Here is a PCAP of the DNS server response on the LAN side transmitted to the end-user.
Both 'A' records are different because the DNS transaction has been checked and categorized by the DNS filter feature.
This behavior can be verified by debugging the dnsproxy daemon.
Here is the associated output:
diagnose debug application dnsproxy -1
diagnose debug en
# Request received
[worker 0] udp_receive_redirect()-2996: vd=0, vrf=0, intf=4, len=29, alen=16, 10.183.15.215:59263=>208.67.222.222
[worker 0] dns_secure_get_policy_profile()-2648: vd=0 10.183.15.215:59263=>208.67.222.222:53
[worker 0] dns_secure_log_request()-1197: write to log: qname=youtube.com qtype=1
[worker 0] dns_profile_do_url_rating()-1922: vfid=0 profile=test-default category=255 domain=youtube.com
[worker 0] dns_rating_cache_check()-575: domain=youtube.com
[worker 0] dns_query_save_response()-2454: domain=youtube.com pktlen=45
[worker 0] dns_adjust_ttl_values()-139
[worker 0] dns_adjust_ttl_values()-142: Offset of 1st RR: 29
[worker 0] dns_adjust_ttl_values()-144: Number of RR's: 1
[worker 0] dns_adjust_ttl_values()-155: New ttl: 245
[worker 0] dns_send_rating_request()-968: orig id: 0x0e5a local id: 0x0e5a domain=youtube.com
# Request rating
[worker 0] dns_tcps_forward_rating_request()-1150
[worker 0] dns_tcps_conn_connect()-971
[worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=0
[worker 0] udp_receive_redirect()-2939
[worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=17
[worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=18
[worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=18
[worker 0] dns_tcps_conn_write()-563: to 173.243.140.53:853 mode=0 vfid=0 status=5
[worker 0] _dns_tcps_conn_rating_write()-477: domain=youtube.com buf=0x7fc5894d27c0 sz=121 off=0
[worker 0] dns_parse_message()-663: TXT RR qname=secure-dns-version-1.fortinet.com
[worker 0] tcp_handle_response()-208: domain=youtube.com (id=0x0e5a)
[worker 0] dns_query_handle_rating_response()-2569: id:0x0e5a domain=youtube.com pktlen=92
[worker 0] dns_parse_message()-663: TXT RR qname=secure-dns-version-1.fortinet.com
[worker 0] dns_secure_txt_RR_char_string_decode()-412
[worker 0] dns_response_secure_RR_rdata_parse()-728: len=20 data=4642363473526b313467414141414d4141526b3d
[worker 0] dns_response_secure_RR_rdata_parse()-783: flag=0 gid=35e2
[worker 0] dns_rating_cache_add()-619: domain=youtube.com category=25
[worker 0] dns_forward_response()-1612
[worker 0] dns_secure_forward_response()-1568: category=25 profile=test-default
[worker 0] dns_visibility_log_hostname()-238: vd=0 pktlen=45
[worker 0] wildcard_fqdn_response_cb()-895: vd=0 pktlen=45
[worker 0] hostname_entry_insert()-143: af=2 domain=youtube.com
[worker 0] dns_profile_do_url_rating()-1922: vfid=0 profile=test-default category=25 domain=youtube.com
# action and used profile
[worker 0] dns_secure_apply_action()-2036: action=10 category=25 log=1 error_allow=0 profile=test-default
[worker 0] dns_send_response()-1539: domain=youtube.com reslen=45
[worker 0] dns_secure_log_response()-1271: id:0x5a0e domain=youtube.com profile=test-default action=10 log=1
[worker 0] dns_secure_log_response()-1509: write to log: logid=54803 qname=youtube.com
# reply sent to customer
[worker 0] __dns_udp_forward_response()-1485: vd=0 send 45B response 208.67.222.222:53=>10.183.15.215:59263
[worker 0] dns_query_delete()-580: orig id:0x0e5a local id:0x0e5a domain=youtube.com active
To sum up the behavior:
- The client sends a DNS query to the DNS server (the one configured on the client).
- dnsproxy will intercept the request.
- It will send the request to the FortiGuard SDNS servers.
- SDNS server will reply with a category rating.
- Depending on the actions set in the profile.
- If forward to block portal -> dnsproxy will append the reply sent by the real DNS server with the IP of FortiGuard block page (can be tuned also).
- If accepted -> DNS request from the real DNS server will be forwarded to the client.
|
