The next outputs and configuration will rely on this topology.
The article will describe the path of a user-filtered DNS request through the DNS filter feature of FortiOS.
Used firewall policy:
config firewall policy edit 1 set name "Internet_Access" set srcintf "port2" --> LAN interface set dstintf "port1" --> WAN interface set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set dnsfilter-profile "test-default" set logtraffic all set nat enable next end
Used DNS filter:
config dnsfilter profile edit "test-default" config ftgd-dns config filters edit 1 set category 12 next ... (truncated) edit 4 set category 8 set action block next edit 5 set category 9 next ...(truncated) set category 14 set action block next ...(truncated) edit 17 set category 25 set action block next edit 18 set category 26 set action block next edit 19 set category 61 set action block next edit 20 set category 86 set action block next edit 21 set category 88 set action block next edit 22 set category 90 set action block next edit 23 set category 91 set action block next edit 24 next end end set log-all-domain enable next end
This configuration will block any streaming website and redirect customers to the FortiGuard block web portal.
Here is a PCAP of the DNS server response, pay attention to the IP / hostname mapping.
Here is a PCAP of the DNS server response on the LAN side transmitted to the end-user.
Both 'A' records are different because the DNS transaction has been checked and categorized by the DNS filter feature.
This behavior can be verified by debugging the dnsproxy daemon.
Here is the associated output:
diagnose debug application dnsproxy -1 diagnose debug en
# Request received [worker 0] udp_receive_redirect()-2996: vd=0, vrf=0, intf=4, len=29, alen=16, 10.183.15.215:59263=>208.67.222.222
[worker 0] dns_secure_get_policy_profile()-2648: vd=0 10.183.15.215:59263=>208.67.222.222:53
[worker 0] dns_secure_log_request()-1197: write to log: qname=youtube.com qtype=1 [worker 0] dns_profile_do_url_rating()-1922: vfid=0 profile=test-default category=255 domain=youtube.com
[worker 0] dns_rating_cache_check()-575: domain=youtube.com [worker 0] dns_query_save_response()-2454: domain=youtube.com pktlen=45 [worker 0] dns_adjust_ttl_values()-139 [worker 0] dns_adjust_ttl_values()-142: Offset of 1st RR: 29 [worker 0] dns_adjust_ttl_values()-144: Number of RR's: 1 [worker 0] dns_adjust_ttl_values()-155: New ttl: 245
[worker 0] dns_send_rating_request()-968: orig id: 0x0e5a local id: 0x0e5a domain=youtube.com
# Request rating [worker 0] dns_tcps_forward_rating_request()-1150 [worker 0] dns_tcps_conn_connect()-971 [worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=0 [worker 0] udp_receive_redirect()-2939 [worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=17 [worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=18 [worker 0] _dns_tcps_conn_connect()-723: connecting to 173.243.140.53:853 via vfid=0 status=18 [worker 0] dns_tcps_conn_write()-563: to 173.243.140.53:853 mode=0 vfid=0 status=5
[worker 0] _dns_tcps_conn_rating_write()-477: domain=youtube.com buf=0x7fc5894d27c0 sz=121 off=0
[worker 0] dns_parse_message()-663: TXT RR qname=secure-dns-version-1.fortinet.com [worker 0] tcp_handle_response()-208: domain=youtube.com (id=0x0e5a) [worker 0] dns_query_handle_rating_response()-2569: id:0x0e5a domain=youtube.com pktlen=92
[worker 0] dns_parse_message()-663: TXT RR qname=secure-dns-version-1.fortinet.com [worker 0] dns_secure_txt_RR_char_string_decode()-412 [worker 0] dns_response_secure_RR_rdata_parse()-728: len=20 data=4642363473526b313467414141414d4141526b3d [worker 0] dns_response_secure_RR_rdata_parse()-783: flag=0 gid=35e2
[worker 0] dns_rating_cache_add()-619: domain=youtube.com category=25 [worker 0] dns_forward_response()-1612 [worker 0] dns_secure_forward_response()-1568: category=25 profile=test-default [worker 0] dns_visibility_log_hostname()-238: vd=0 pktlen=45 [worker 0] wildcard_fqdn_response_cb()-895: vd=0 pktlen=45 [worker 0] hostname_entry_insert()-143: af=2 domain=youtube.com [worker 0] dns_profile_do_url_rating()-1922: vfid=0 profile=test-default category=25 domain=youtube.com
# action and used profile
[worker 0] dns_secure_apply_action()-2036: action=10 category=25 log=1 error_allow=0 profile=test-default
[worker 0] dns_send_response()-1539: domain=youtube.com reslen=45 [worker 0] dns_secure_log_response()-1271: id:0x5a0e domain=youtube.com profile=test-default action=10 log=1
[worker 0] dns_secure_log_response()-1509: write to log: logid=54803 qname=youtube.com
# reply sent to customer
[worker 0] __dns_udp_forward_response()-1485: vd=0 send 45B response 208.67.222.222:53=>10.183.15.215:59263 [worker 0] dns_query_delete()-580: orig id:0x0e5a local id:0x0e5a domain=youtube.com active
To sum up the behavior:
- The client sends a DNS query to the DNS server (the one configured on the client).
- dnsproxy will intercept the request.
- It will send the request to the FortiGuard SDNS servers.
- SDNS server will reply with a category rating.
- Depending on the actions set in the profile.
- If forward to block portal -> dnsproxy will append the reply sent by the real DNS server with the IP of FortiGuard block page (can be tuned also).
- If accepted -> DNS request from the real DNS server will be forwarded to the client.
|