Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PurpleShirt
New Contributor III

Created on ‎08-30-2023 02:11 AM Edited on ‎08-30-2023 02:15 AM

App Control 'DNS only' blocks Google Translate

I've tried to create an application control security profile for the DNS requests of our DNS Server, so that only application data of the type DNS (and ICMP/Ping) is allowed. The app profile looks like this: 

 

image.png

When I did that, I saw in the logs that Google Translate was getting blocked. Here the log of the blocked connection attempt: 

 

 

 

 

 

date=2023-08-30 time=10:34:34 id=7273030939687518227 itime="2023-08-30 10:34:35" euid=3 epid=101 dsteuid=3 dstepid=101 logver=700120523 type="utm" subtype="app-ctrl" level="warning" action="block" sessionid=369741986 policyid=546 srcip=*.*.*.* dstip=*.*.*.* srcport=63371 dstport=53 proto=17 logid=1059028705 service="DNS" eventtime=1693384475533113261 incidentserialno=81095000 direction="outgoing" apprisk="elevated" appid=24473 srcintfrole="lan" dstintfrole="wan" applist="app-dns" appcat="General.Interest" app="Google.Translate" eventtype="signature" srcintf="****" dstintf="****" msg="General.Interest: Google.Translate" tz="+0200" policytype="policy" srccountry="Reserved" dstcountry="****" poluuid="f2a4f656-3c3f-51ee-cc20-238d646cc18d" devid="****" vd="root" dtime="2023-08-30 10:34:34" itime_t=1693384475 devname="****"

 

 

 

 

 

I need help understanding why it behaves like that? I was under the impression that this configuration would only allow DNS requests, but not really look at the application that makes the request. These requests were also made by accessing Google Translate with the browser. 

 

I've now added the applications that need DNS in the signatures, but still I don't get how this works. Can someone give me some insights? 

 

Thanks. 

Labels:
773
0 Kudos
1 Solution
pminarik
Staff
Staff

Created on ‎08-30-2023 04:47 AM

Various apps have various signatures attached to them to help with detections. With Google.Translate it just so happens that one of the signatures works with DNS queries for Google Translate's FQDN. So while it looks strange ("Why is basic UDP/53 DNS traffic flagged as Google Translate?" is a perfectly valid question), in this specific case the result is expected.

[ corrections always welcome ]

View solution in original post

749
4 REPLIES 4
pminarik
Staff
Staff

Created on ‎08-30-2023 04:47 AM

Various apps have various signatures attached to them to help with detections. With Google.Translate it just so happens that one of the signatures works with DNS queries for Google Translate's FQDN. So while it looks strange ("Why is basic UDP/53 DNS traffic flagged as Google Translate?" is a perfectly valid question), in this specific case the result is expected.

[ corrections always welcome ]
750
PurpleShirt
New Contributor III
In response to pminarik

Created on ‎08-30-2023 04:58 AM

Thank you for your reply. I've filtered the applications by protocol where DNS is used and added them to the allowed applications (some examples are Yahoo.Mail, Google.Hangouts and others). Is this enough or do other applications behave like Google Translate? 

744
0 Kudos
pminarik
Staff
Staff
In response to PurpleShirt

Created on ‎08-30-2023 05:14 AM

Well, everything that talks to a server with an FQDN will need to use DNS (a bit of a cheeky answer :)), but unfortunately I don't think there is a list of all application signatures that also include DNS traffic matching. I'm afraid you will need to add exceptions on a case-by-case basis.

[ corrections always welcome ]
738
0 Kudos
PurpleShirt
New Contributor III
In response to pminarik

Created on ‎08-30-2023 05:24 AM

Haha alright thank you. I'll observe if I see blocked requests in the logs and will update the profile on a case by case basis :) 

732
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.