Botnet C&C domain blocking

Leave a reply

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Redirect botnet C&C requests to Block Portal.
  3. Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997

;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:    
;; canind.co.                   IN

;; ANSWER SECTION:

  A  
canind.co.   60    IN blocked, redirect with portal-IP.

;; Received 43 B

;; Time 2019-04-05 09:55:21 PDT

  A  208.91.112.55 <<<==== botnet domain query
;; From 172.16.95.16@53(UDP) in 0.3 ms

To check the DNS filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS filter log in the CLI:

FGT600D (vdom1) # exe log filter category utm-dns

FGT600D (vdom1) # exe log display 2 logs found.

2 logs returned.

1: date=2019-04-04 time=16:43:59 logid=”1501054601″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetdomain=”canind.co”

2: date=2019-04-04 time=16:43:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN”


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.