Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PurpleShirt
New Contributor III

App Control 'DNS only' blocks Google Translate

I've tried to create an application control security profile for the DNS requests of our DNS Server, so that only application data of the type DNS (and ICMP/Ping) is allowed. The app profile looks like this: 

 

image.png

When I did that, I saw in the logs that Google Translate was getting blocked. Here the log of the blocked connection attempt: 

 

 

 

 

 

date=2023-08-30 time=10:34:34 id=7273030939687518227 itime="2023-08-30 10:34:35" euid=3 epid=101 dsteuid=3 dstepid=101 logver=700120523 type="utm" subtype="app-ctrl" level="warning" action="block" sessionid=369741986 policyid=546 srcip=*.*.*.* dstip=*.*.*.* srcport=63371 dstport=53 proto=17 logid=1059028705 service="DNS" eventtime=1693384475533113261 incidentserialno=81095000 direction="outgoing" apprisk="elevated" appid=24473 srcintfrole="lan" dstintfrole="wan" applist="app-dns" appcat="General.Interest" app="Google.Translate" eventtype="signature" srcintf="****" dstintf="****" msg="General.Interest: Google.Translate" tz="+0200" policytype="policy" srccountry="Reserved" dstcountry="****" poluuid="f2a4f656-3c3f-51ee-cc20-238d646cc18d" devid="****" vd="root" dtime="2023-08-30 10:34:34" itime_t=1693384475 devname="****"

 

 

 

 

 

I need help understanding why it behaves like that? I was under the impression that this configuration would only allow DNS requests, but not really look at the application that makes the request. These requests were also made by accessing Google Translate with the browser. 

 

I've now added the applications that need DNS in the signatures, but still I don't get how this works. Can someone give me some insights? 

 

Thanks. 

1 Solution
pminarik
Staff
Staff

Various apps have various signatures attached to them to help with detections. With Google.Translate it just so happens that one of the signatures works with DNS queries for Google Translate's FQDN. So while it looks strange ("Why is basic UDP/53 DNS traffic flagged as Google Translate?" is a perfectly valid question), in this specific case the result is expected.

[ corrections always welcome ]

View solution in original post

4 REPLIES 4
pminarik
Staff
Staff

Various apps have various signatures attached to them to help with detections. With Google.Translate it just so happens that one of the signatures works with DNS queries for Google Translate's FQDN. So while it looks strange ("Why is basic UDP/53 DNS traffic flagged as Google Translate?" is a perfectly valid question), in this specific case the result is expected.

[ corrections always welcome ]
PurpleShirt
New Contributor III

Thank you for your reply. I've filtered the applications by protocol where DNS is used and added them to the allowed applications (some examples are Yahoo.Mail, Google.Hangouts and others). Is this enough or do other applications behave like Google Translate? 

pminarik

Well, everything that talks to a server with an FQDN will need to use DNS (a bit of a cheeky answer :)), but unfortunately I don't think there is a list of all application signatures that also include DNS traffic matching. I'm afraid you will need to add exceptions on a case-by-case basis.

[ corrections always welcome ]
PurpleShirt
New Contributor III

Haha alright thank you. I'll observe if I see blocked requests in the logs and will update the profile on a case by case basis :) 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors