A DNS request is typically the first part of any new session to a new website. DNS web filtering takes advantage of this by including the web site category in DNS responses. When a FortiGate unit resolves a URL, it receives a rating in addition to the IP address of the website.

DNS Web filtering uses the same categories as FortiGuard Web Filtering and requires you to configure your FortiGate unit to use FortiGuard DNS as its DNS Server. DNS web filtering is lightweight in terms of resource usage because it doesn't involve any actual content inspection.

DNS web filtering includes reduced functionality compared to proxy and flow-based web filtering. DNS web filtering does not support:

To configure your FortiGate unit to use DNS web filtering, start by going to System > Network > DNS and under DNS Settings, make sure Use FortiGuard Servers is selected and select Apply.

Go to Security Profiles > Web Filter > Profiles and edit a web filtering profile or create a new one. Set Inspection Mode to DNS. Then you can set DNS action to Block or Redirect. If you select Redirect, every time a web page is blocked by DNS web filtering the URL is re-directed to a web page on the FortiGuard network that displays a block message. If you select Block, the page is blocked and the user’s web browsers display an error message or the connection attempt will time out.

Set the FortiGuard web filtering categories as required. You can configure DNS web filtering to block, allow and monitor web pages in each FortiGuard category. Select Apply to save the profile.

Go to Policy > Policy > Policy and create or edit a security policy, enable web filtering and select the web filtering profile that you configured for DNS web filtering.

All traffic HTTP accepted by the policy will be inspected by DNS web filtering.