Skip to main content
rmehta
Staff
rmehta
Staff
May 8, 2026

Troubleshooting Tip: Application Signature DNS does not allow DNS traffic on port 53

  • May 8, 2026
  • 0 replies
  • 150 views

Description

This article describes scenarios where FortiGate Application Control sometimes classifies plain UDP/53 (or TCP/53) DNS traffic under a non-DNS application signature such as Google.Translate, Google.Hangouts or Yahoo.Mail and why a profile that "blocks all categories but adds an Application override to allow DNS" can still drop legitimate DNS queries.

Scope

FortiGate.

Solution

UTM log shows a DNS lookup being blocked even though the Application Control profile has an Application override allowing DNS.


A common Application Control profile structure (as observed in the affected customer profile ac_DNS) that produces this behavior:

Categories section - all categories are set to block:

d539006b.png


How it works:

Application Control profile is configured as:

  • All categories set to Block (including General.Interest, where Google.Translate resides).

  • One override added: Application = DNS, Action = Allow.


Application Control is signature-based. When a DNS query is processed, the IPS engine inspects the FQDN inside the query payload and matches it against the FortiGuard signature database. A query for translate.google.com matches the Google.Translate signature (appid 24473), which is more specific than the generic DNS signature.


The engine applies the action of the most specific match. Since Google.Translate belongs to General.Interest, and that category is blocked, the session is dropped; even though the protocol is DNS and an override exists for the generic DNS application.


The override Application is DNS. Allow only covers the generic DNS signature. It does not cover other application signatures whose patterns also match DNS query payloads.


Summary:

A FortiGate Application Control profile that blocks all categories and adds an Application override to allow DNS may still drop legitimate DNS queries for hostnames such as translate.google.com. The traffic is logged with service="DNS" but app="Google.Translate", and the action is block.


This is expected behavior.

    Terms & ConditionsAccessibility statement