Description
This article discusses the details of the static DNS filter's matching logic, with examples provided to illustrate the behavior.
Scope
The DNS filter operates only on DNS traffic and filters only domain names. If it is wanted to take specific block/allow actions based on detailed URL paths such as shown below, a web filter must be used.
example.com/allowed/section => allow.
example.com/block/this/path => block.
This article describes only the matching logic. For general information about Static Domain Filter, or DNS Filter profiles, refer to the documentation:
https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/529838
Solution
FortiOS has three types of static domain filters: simple, wildcard, and regular expression. The simple type behaves differently based on the inspection mode of the firewall policy (flow or proxy). Wildcard and regular expression types behave the same regardless of the inspection mode.
Simple Filter - Flow Mode.
In flow-mode inspection, this filter performs a simple substring match. If the provided domain string is located anywhere in the evaluated domain name, the match is positive.
Example: simple filter 'fortinet.com'.
| domain |
result
|
| fortinet.com |
match
|
| fortunate.com |
no match
|
| www.fortinet.com |
match
|
| docs.fortinet.com |
match
|
| fakefortinet.com |
match |
| fortinet.community |
match |
| fortinet.com.fake.com |
match |
Note that the wildcard symbol '*' is not permitted in simple filters.
Simple filter - proxy mode.
In proxy-mode inspection, this filter matches the provided domain and any of its sub-domains, and it also matches if the string itself is a sub-domain of another domain.
Example: simple filter: 'fortinet.com'.
| domain |
result |
| fortinet.com |
match |
| fortunate.com |
no match |
| www.fortinet.com |
match |
| docs.fortinet.com |
match |
| fakefortinet.com |
no match (differs from flow-mode) |
| fortinet.community |
no match (differs from flow-mode)
|
| fortinet.com.fake.com |
match
|
Wildcard filter.
This filter accepts the wildcard '*' symbol. The filter is internally converted to a regular expression, with the provided string surrounded by word-boundary tokens (\b). Sub-domain matching is similar to a proxy-mode simple filter.
Example: wildcard filter: 'fortinet.com'.
| domain |
result |
| fortinet.com |
match |
| fortunate.com |
no match |
| www.fortinet.com |
match |
| docs.fortinet.com |
match |
| fakefortinet.com |
no match |
| fortinet.community |
no match |
| fortinet.com.fake.com |
match
|
| not-fortinet.com |
match ('-' is a word-boundary character!)
|
The wildcard symbol '*' is a substitute for any number of arbitrary characters (including zero characters).
Example: wildcard filter: '*fortinet.com'.
| domain |
result |
| fortinet.com |
match |
| fakefortinet.com |
match |
| docs.fortinet.com |
match
|
| fortinet.community |
no match
|
Note: Wrapping the domain string with '*' on both ends (*fortinet.com*) results in behavior identical to the flow-mode simple filter - a simple substring match.
Note that the filter '*.domain.com' will match sub-domains of 'domain.com' but will not match 'domain.com' itself.
Example: wildcard filter: '*.fortinet.com'.
| domain |
result |
| www.fortinet.com |
match |
| docs.fortinet.com |
match |
| fortinet.com |
no match (the filter requires '.' preceding 'fortinet') |
| fakefortinet.com |
no match |
| docs.fortinet.com.fake.com |
match |
The wildcard symbol can also be used in the middle of the string.
Example: wildcard filter: 'forti*net.com'.
| domain |
result |
| fortinet.com |
match |
| fortifiednet.com |
match |
| forti.other.examplenet.com |
match
|
| forti.net.com.fake.com |
match
|
| notfortinet.com |
no match ('forti' is not initial, or preceded by a word-boundary character) |
Regular expression.
This filter operates using PCRE regular expressions. The list below shows a handful, useful or interesting filters.
| regex filter |
behavior |
| fortinet\.com |
equivalent to flow-mode simple filter (simple sub-string match; see above for match/non-match examples) |
| \bfortinet\.com\b |
equivalent to wildcard filter (see above) |
| ^fortinet\.com$ |
precisely matches this domain only, no sub-domains |
| ^\.fortinet\.com$ |
matches only the sub-domains of this domain (not the domain itself) |
| ^(.*\.)*fortinet\.com$ |
matches the domain and any of its sub-domains |
Note: In regular expressions, '.' is a wildcard symbol for a single character of any kind.
In order to match the dot character literally it must be escaped with a backslash.
| test\.example\.com |
will match 'test.example.com' literally, as a sub-string |
| test.example.com |
will also match testxexample.com, test.exampleycom, etc.
|
