Tuesday, August 23, 2022

Fortigate -> Configure PiHole (like) DNS Setup

 FortiGate -> Pi Hole (like) Config 

I hate ads.

Fortigate has the ability to add external Block Lists and I determined to find lists and configure it to act much like PiHole.

Core Steps
  • Add external filter lists
  • Set up a DNS filter, block the external filter lists
  • Set up a DNS server on the Fortigate with the DNS filter enabled

External lists

 Add the external lists. This is an example of 8 lists that are a mix of advertisers and trackers.
  • SSH to Fortigate.
  • At the CLI you can paste the following:

config system external-resource
    edit "Disconnect-Ad-Filter"
        set type domain
        set category 194
        set resource "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
        set refresh-rate 60
    next
    edit "AdGuard"
        set type domain
        set category 192
        set resource "https://v.firebog.net/hosts/AdguardDNS.txt"
        set refresh-rate 60
    next
    edit "Firebog"
        set type domain
        set category 193
        set resource "https://v.firebog.net/hosts/Easylist.txt"
        set refresh-rate 60
    next
    edit "Firebog-Privacy"
        set type domain
        set category 195
        set resource "https://v.firebog.net/hosts/Easyprivacy.txt"
        set refresh-rate 60
    next
    edit "Fireblog-Admiral"
        set type domain
        set category 196
        set resource "https://v.firebog.net/hosts/Admiral.txt"
        set refresh-rate 60
    next
    edit "Fireblog-Privacy-2"
        set type domain
        set category 197
        set resource "https://v.firebog.net/hosts/Prigent-Ads.txt"
        set refresh-rate 60
    next
    edit "OISD"
        set type domain
        set category 198
        set resource "https://dbl.oisd.nl/"
        set refresh-rate 60
    next
    edit "OISD-IP"
        set type address
        set resource "https://hosts.oisd.nl/"
        set refresh-rate 60
    next
end
config system dns-server
end

DNS Filter

  • Add a DNS filter. 
    • You can do this under the 'Security Profiles' tab in the GUI of the Fortigate. 
      • Enable the option FortiGuard Category Based Filter

  • In the category filter list, locate an entry called 'Remote Categories'. Open, you will find seven of the external entries we added via CLI. 
    •     Set all of them to 'Redirect to Block Portal'.

  • At the bottom of the menu, you will find the option External IP Block lists
    • Click at the + sign and select the entry 'OSID-IP'.

Now, all eight lists are active in this DNS filter profile.

Set up a DNS Server

Setting up a DNS server is most easy done by CLI (like most of things). Paste this code to your CLI to setup the server. Change the dnsfilter-profile to the name of your DNS profile.

    edit "internal"
        set mode forward-only
        set dnsfilter-profile "Your-DNS-Filter"
    next


After setting up your DNS server
  • Publish it with your DHCP.

NOTE: This should get rid of many ads (YouTube ads cannot be blocked this way).

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)