In this article:
    more blog
    Minimalist design for an article on choose firewall. The image features a list of firewall options with checkmarks, a magnifying glass highlighting a red shield with a padlock, and a brick wall on fire. The title 'How to Choose a Firewall' is prominently displayed in orange and blue.

    How to Choose a Firewall: The Ultimate Firewall Selection Guide for Businesses in 2026

    Minimalistic digital graphic illustrating the concept of Firewall Sizing with the title 'How to Choose the Right Firewall for Your Business', featuring a network appliance with a checkmarked shield, highlighting the importance of selecting the right firewall for business security.

    Firewall Sizing Guide for Businesses in 2025-2026

    Featured image representing Network Security Architecture with visual elements symbolizing firewall protection, secure network infrastructure, cloud security, and layered cyber defense for modern businesses.

    Network Security Architecture: A Complete Guide for Modern Businesses

    Network Security Best Practices checklist illustration showing secure business network, firewall protection, Zero Trust access, and cloud security concepts

    Best Network Security Practices for Businesses (Checklist + Zero Trust for Hybrid/Cloud)

    Fortinet DNS Filtering

    Fortinet DNS Filtering has emerged as a cornerstone of proactive network protection. Built on FortiGuard’s real-time threat intelligence, this feature, integrated directly into FortiGate next-generation firewalls (NGFWs), allows organizations to block malicious domains at the DNS layer before connections are even established. By intercepting DNS queries, Fortinet DNS Filtering prevents access to phishing sites, botnet command and control servers, newly observed domains (NODs), and other threats, all with minimal latency thanks to anycast routing to FortiGuard servers.

    According to Fortinet’s latest threat reports and FortiGuard Labs data from, DNS based attacks remain a primary vector for malware delivery and data exfiltration, with over 90% of malware campaigns leveraging DNS in some capacity. Forrester and EfficientIP studies highlight that 95% of organizations faced DNS related incidents in the past year, often resulting in significant downtime and costs averaging nearly $1 million per breach.

    This comprehensive guide is tailored for IT administrators, network engineers, security analysts, and CISOs managing FortiGate deployments. We’ll cover how Fortinet DNS Filtering works, its key features, step by step configuration (GUI and CLI), troubleshooting common issues, best practices, and comparisons to alternatives. By the end, you’ll have the knowledge to deploy and optimize this powerful tool effectively.

    share :
    A digital illustration depicting Fortinet DNS Filtering with a 3D globe, security icons like a shield, magnifying glass, and symbols of phishing threats. The Fortinet logo and DNS-linked domains like .com, .net, and .org are featured, with a Fortinet appliance protecting against cyber threats.

    What is Fortinet DNS Filtering and How Does It Work?

    Fortinet DNS Filtering is a native security profile in FortiGate firewalls (FortiOS 7.0 and later, with enhancements in 7.6.x) that leverages FortiGuard’s secure DNS (SDNS) service. When enabled in a firewall policy, FortiGate inspects DNS queries passing through it, querying FortiGuard for domain ratings in real-time.

    How it works:

    •  DNS queries are intercepted (no need to set FortiGate as the client’s DNS resolver, traffic just needs to traverse the firewall).
    •  FortiGuard categorizes domains across 92+ categories (e.g., Malware, Phishing, Parked Domains, Newly Registered/Observed Domains).
    •  Actions: Allow, Block, Monitor, or Warn based on policy.
    •  Blocked queries return a redirect to a customizable block page or NXDOMAIN.
    •  Supports encrypted DNS inspection (DoT/DoH/DoQ in FortiOS 7.4+) with deep SSL inspection.

    Unlike traditional web filtering (which inspects HTTP/S traffic), DNS filtering solution acts earlier at resolution reducing resource usage and blocking threats faster. In proxy mode, the DNS proxy daemon handles it; in flow mode, the IPS engine does.

     

    Fortinet DNS Filtering : Features, Configuration Guide, and Best Practices

    Key Features and Benefits of Fortinet DNS Filtering

    Fortinet DNS Filtering stands out for its seamless integration with the FortiGate ecosystem. Key features include:

    • FortiGuard Category Based Filtering; 92 categories with actions (block/allow/monitor/warn).
    • Botnet C&C Blocking; Automatically blocks known command and control domains.
    •  Newly Observed/Registered Domains (NOD/NRD); Flags potentially malicious new domains for caution (common source of false positives, but highly effective against zero day threats).
    •  Safe Search Enforcement; For Google, Bing, YouTube.
    •  Local/Static Domain Filters; Custom allow/block lists.
    •  External Blocklists; Integrate third party feeds (domains or IPs).
    •  DNS Translation; Map domains to alternative IPs (useful for internal redirects).
    •  Encrypted DNS Support; Inspect DoT/DoH/DoQ with SSL deep inspection.
    •  Low Latency; Global anycast network for fast ratings.
    •  Visibility; DNS query logs in FortiAnalyzer/FortiGate GUI.

    Benefits:

    •  Proactive protection: Blocks threats before TCP connections.
    •  Reduced false positives with AI/ML categorization from FortiGuard Labs.
    •  Compliance support (e.g., CIPA for education, GDPR privacy).
    •  Cost effective: Bundled with FortiGuard Web Filtering license, no separate subscription needed for basic DNS.

    Compared to standalone solutions, Fortinet’s native integration means unified management via Security Fabric, no additional appliances, and high performance even on mid-range FortiGate models.

     

    Step by Step Configuration Guide for Fortinet DNS Filtering

    Configuring Fortinet DNS Filtering is straightforward in FortiOS 7.6.x. Prerequisites: Valid FortiGuard Web Filtering license (shares with DNS rating service) and FortiOS 7.2+.

    GUI Configuration

    1. Enable Feature Visibility (if needed): System > Feature Visibility > Enable DNS Filter.

    2. Create DNS Filter Profile:

    •  Go to Security Profiles > DNS Filter > Create New.
    •  Enable FortiGuard category based filter.
    •  Select categories and actions (e.g., Block for Malware/Phishing, Monitor for Social Networking).
    •  Enable Block botnet C&C connections.
    •  Optionally enable Safe Search and External Blocklists.

    3. Applyto Firewall Policy:

    •  Policy & Objects > Firewall Policy > Edit/Create policy.
    •  Under Security Profiles, enable DNS Filter and select your profile.
    •  (Note: DNS filter takes precedence over web filter if both enabled.)

    4. Custom Block Page (Optional):

    •  System > Replacement Messages > Edit DNS block page.
    config dnsfilter profile
    edit “enterprise dns filter”
    set comment “Enterprise DNS Filtering Profile”
    config ftgd-dns
    set options error-allow
    config filters
    edit 1
    set category 2 # Malware
    set action block
    next
    edit 2
    set category 7 # Phishing
    set action block
    next
    edit 3
    set category 65 # Newly Observed Domains
    set action monitor # Or warn to avoid false positives
    next
    end
    end
    set block-botnet enable
    next
    end

    Apply to policy:

    config firewall policy
    edit 1
    set srcintf “internal”
    set dstintf “wan”
    set srcaddr “all”
    set dstaddr “all”
    set action accept
    set schedule “always”
    set service “ALL”
    set dnsfilter-profile “enterprise-dns-filter”
    next
    end

    Advanced: External blocklist and local domains.

    For troubleshooting connectivity:

    diagnose test application dnsproxy 3 # Check SDNS server status
    diagnose debug application dnsproxy -1 # Enable debug

    Common Issues and Troubleshooting for Fortinet DNS Filtering

    Common problems deployments:

    • False Positives with NOD/NRD; Legitimate sites (e.g., Zoom, Microsoft) flagged as “Newly Observed.” Solution: Set NOD to Monitor/Warn or disable; whitelist specific domains.
    •  Rating Errors; No response from FortiGuard. Check license, ping SDNS servers (e.g., execute ping 208.91.112.220), diagnose test application dnsproxy 99.
    •  Block Page Certificate Errors; Browser warnings on redirect. Use deep SSL inspection or custom cert.
    •  DoH/DoT Bypass; Clients using encrypted DNS evade filtering. Enable DoH inspection policy with SSL deep inspection.
    •  Latency; Rare, but check anycast routing.

    Troubleshooting commands:

    •  `diagnose debug application dnsproxy -1`
    •  `execute log filter category utm-dns`
    •  `execute log display`

    Best practice: Start with Monitor action for new categories to baseline traffic.

    Fortinet DNS Filtering vs Alternatives

    Feature Fortinet DNS Filtering Cisco Umbrella DNSFilter
    Integration with NGFW Native (FortiGate) Cloud-only (requires redirection) Cloud-only
    Latency Low (anycast + on-prem) Low Medium
    Encrypted DNS Inspection Yes (DoT/DoH/DoQ with SSL) Yes Partial
    Cost Bundled with FortiGuard license Separate subscription Subscription
    False Positive Management Good (NOD tunable) Excellent Good
    Reporting FortiAnalyzer integration Strong dashboard Strong

    Fortinet excels in unified environments; Umbrella for pure cloud/SASE.

    Conclusion & Next Steps

    Fortinet DNS Filtering provides robust, integrated protection against DNS-based threats , combining real-time intelligence with easy configuration on FortiGate. By following this guide, you can deploy effective filtering while minimizing disruptions. For enterprise deployments, explore our FortiGate Firewalls range or contact us as an authorized Fortinet distributor for licensing and support.

    Contact Us Today!
    • Email: sales@netwisetech.ae
    • Call: +97145709666
    • Live Chat: Available on our site

    Leave a Reply

    Your email address will not be published. Required fields are marked *