Home > Uncategorized > Blocking packets that contain a string within a Fortigate unit, like DNS lookups

Blocking packets that contain a string within a Fortigate unit, like DNS lookups

Our transparent proxy works in such a way that the built in filtering daemon effectively blackholes DNS lookups for sites that match certain categories.  In effect, when a client accesses https://gmail.com, any sessions to the IPs of gmail.com are blocked, since I block web mail.  This is good.

There is one case where our transparent proxy does not blackhole the DNS, youtube.com.  Why?

C:\>nslookup youtube.com
Server:  dnsserver.local
Address:  192.168.100.111

Non-authoritative answer:
Name:    youtube.com
Addresses:  74.125.228.65, 74.125.228.66, 74.125.228.67, 74.125.228.68
          74.125.228.69, 74.125.228.70, 74.125.228.71, 74.125.228.72, 74.125.228.73
          74.125.228.78, 74.125.228.64

C:\>nslookup google.com
Server:  dnsserver.local
Address:  192.168.100.111

Non-authoritative answer:
Name:    google.com
Addresses:  74.125.228.78, 74.125.228.64, 74.125.228.65, 74.125.228.66
          74.125.228.67, 74.125.228.68, 74.125.228.69, 74.125.228.70, 74.125.228.71
          74.125.228.72, 74.125.228.73

So, the solution I found, although not flawless as you could modify the HTTP request header or HOSTS, is to actually drop DNS packets containing the string “youtube” at our Fortigate instead.

I do this by creating an IPS UTM policy per VDOM and apply it to the firewall policy that controls access to public DNS:

config ips custom
edit Youtube.DNS-Block
set signature "F-SBID( --name "Youtube.DNS-Block"; --protocol udp; --service DNS; --flow from_client; --byte_test 1,<,128,2; --pattern "youtube"; --context host; --no_case)"youtube\"; --no_case;)"
end

If you want to block DNS or other protocols, I suggest you read more about creating customized IPS signatures in the FortiOS Handbook on custom IPS definition signature syntax and keywords. I’m surprised there isn’t more of a community driven custom definition collection.

To block google drive lookups:

F-SBID( --name "Google_Drive.DNS-Block"; --protocol udp; --service DNS; --flow from_client; --byte_test 1,<,128,2; --pattern "drive.google.com"; --context host; --no_case; )

To block google music lookups:

F-SBID( --name "Google_Music.DNS-Block"; --protocol udp; --service DNS; --flow from_client; --byte_test 1,<,128,2; --pattern "music.google.com"; --context host; --no_case; )
Advertisements
Tags:
  1. bep
    July 10, 2013 at 10:40 am

    Good article. Thanks.

    • July 10, 2013 at 9:27 pm

      No problem. I’ve been meaning to dive deeper into this, and the DNS blocking thing is really a poor move. But, I suppose it is better than nothing, particularly if you can’t perform packet inspection.

  2. Aylmer Tan
    October 19, 2016 at 2:33 am

    same. Not working either. Only upgrading to latest patch works.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: