application control blocking youtube dns queries
Hello
M270 + fireware 12.11.2
I added a policy for dns queries out - tcp/upd 53 packet filter + application filter with network/dns allowed + proxy for op codes, query types, etc, from two bind9 server IPs, to any-external
Queries worked until I looked up youtube.com
It got blocked
Deny 192.168.10.111 192.43.172.30 dns/udp 60963 53 INT-PUBLIC-BRIDGE EXT-BUSINESS Application identified 80 63 (DNS OUT prefer NS1-00) proc_id="firewall" rc="101" msg_id="3000-0149" src_ip_nat="m.y.i.p" app_id="112" app_name="Youtube" app_cat_id="5" app_cat_name="Media streaming services" app_beh_id="6" app_beh_name="Access" action="DNS Only" sig_vers="18.376" flags="SR" duration="0" sent_pkts="2" rcvd_pkts="0" sent_bytes="160" rcvd_bytes="0" route_type="SD-WAN" geo_dst="USA"
Per the log I modified app control "media streaming service > youtube > access" to "allow" and tried again
Allow 192.168.10.111 192.12.94.30 dns/udp 38196 53 INT-PUBLIC-BRIDGE EXT-BUSINESS Application identified 80 63 (DNS OUT prefer NS1-00) proc_id="firewall" rc="100" msg_id="3000-0149" src_ip_nat="m.y.i.p" app_id="112" app_name="Youtube" app_cat_id="5" app_cat_name="Media streaming services" app_beh_id="6" app_beh_name="Access" action="DNS Only" sig_vers="18.376" route_type="SD-WAN" geo_dst="USA" record_type="DS" question="youtube.com"
Can you help me understand why that's needed for dns queries?
Comments
Hi @Steve_E
The application control signature for YouTube will attempt to block any traffic that allows access to YouTube. This includes clear text DNS queries that include known YouTube domains.
If you want your users to be able to access YouTube, the correct action is to allow it via application control.
If you want to allow those DNS queries while still disallowing YouTube for your other policies, I'd suggest making a new Application Control action for your DNS policy so you can disable it for that policy.
-James Carson
WatchGuard Customer Support
thank you