We have a fortigate FortiGate v6.4.11 running in our dependencies, and we try to block any connection to botnet C&C
We've got a policy with 2 Security Profiles:
- DNS Filter redirects botnet C&C requests to Block Portal and uses Fortiguard Based Filter, where Malicious Websites, Phishing sites, spam URLS and Newly X Domains are also redirected to Block Portal.
- Application Control allows DNS traffic
When I use nslookup command to request an imaginary FQDN on a well-known malicious DNS server, Fortigate unexpectedly allows the request:
- Policy ID: the defined one :)
- Application: DNS
- Application Action: detected
- Application Category: Network.service
- Applciation Risk: elevated
- Service: DNS
On the other hand, other fields make think the request should not reach the malicious server
- tdthreatname: Sinkhole
- tdthreattype: Malware
- tdtype: infected-ip
- tdwfcate: Spyware and Malware
So the thing is that ApplicationControl allows DNS network service, but DNS should block it since it is directed to a known malicious server.
To my understanding, communication should be blocked.
I have read the administration guide but I see no clue.
Did anyone face that problem before?
Thanks for your help,