Forcing SafeSearch on Google with FortiGate Firewall DNS

Here was an interesting situation that I encountered recently; how do you force safe search on Google for a Guest network without a DNS server, SSL decryption or separate proxy server and just have a firewall (FortiGate). This utilizes the built-in web filter of FortiGate firewalls and configures a local DNS database that we will use as the FortiGate does not support CNAMEs. It is not perfect but we will make it harder to access adult content. This option is quite a bit better than blocking all images at Google (encryptedtbn0.gstatic.com) as the first few rows on an image search are Base64 encoded and not loaded from encryptedtbn0.gstatic.com. Bing is similar unless you are a school, in which you can register your public IP to force strict.bing.com but a similar option would be available. At the end of this document will be the scripts for each google country subdomain and possible ways to bypass these DNS settings.

  1. Setup your Guest outbound policy. We will modify it so it only allows HTTP and HTTPS access. You could also allow everything but put a DNS block above the policy, otherwise, the users can just specify an external DNS server and bypass your work.
  2. Change the DHCP server to use the FortiGate interface IP. If on the FortiGate, this can be found on the interface at Network > Interfaces.
  3. Go to System > Feature Visibility and enable DNS Database.
  4. Next, go to Network > DNS Servers and select Create New for the DNS Service on Interface.
  5. Select the interface from the drop-down and select the mode as Recursive. If you have FortiGuard services, you can also apply a DNS filter profile. Here are descriptions of each of these options:
    1. Forward – This just sends the request off to the configured DNS servers.
    2. Non-Recursive – This only uses the configured database and drops unresolved queries.
    3. Recursive – This uses the configured database first, and then sends on unresolved queries to the system configured DNS servers.
  6. Next, take the attached script and enter it on the firewall. System > Advanced > Configuration Scripts
    1. FortiGate Google DNS Settings
    2. Sample for Google.com:
  7. Run the following command from CLI to view your DNS records.
    diagnose test application dnsproxy 8
  8. Set the DHCP server to give out the interface IP for DNS. If you use the FortiGate for DHCP, just go to Network > Interfaces and edit your interface with the Guest network.
  9. Hop on the Guest network and try searching on Google. It should now force safe search. You can also verify this by running “nslookup google.com”.

Bypass Google Safe Search:

  1. Manually visit google by looking up the IP address. This can be accomplished at a site like dnschecker.org. The site should still be allowed, however, you may receive certificate warnings.
  2. If you do not block DNS outbound, just manually configure an external DNS server like 8.8.8.8 or 8.8.4.4.

Sources:

https://www.google.com/supported_domains
https://support.google.com/websearch/answer/186669?hl=en
https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing
https://help.bingads.microsoft.com/apex/index/18/en-US/10003
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-networking-54/DNS%20Services/DNS%20Servers.htm