Solved

DNS firewall rule generating a lot of WAN traffic

Posted on 2009-07-08
5
741 Views
Last Modified: 2012-05-07
Why is the DNS firewall rule generating a lot of WAN traffic on a FortiGate 110c Firewall?

Our DC/DNS/DHCP Server is named JERRY and this is the server that's always the top talker.
The Firewall rule that always is identified is the DNS rule - Rule 27

Can anyone please offer any suggestions or possible adjustments I can make to reduce this load on the WAN thereby freeing it up for other WAN applications?

Thanks
WAN-Info.docx
0
Comment
Question by:amanadili
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24811159
First off, what traffic do you see generated?? Second, what does the rule state, allow this traffic or disallow this traffic??
You should keep in mind that TCP has a lot of overhead in it's communication.. Also, every DNS request that a normal client does goes to your DC/DNS server in the domain.. This server will forward all this traffic to internet root servers.. Also, All clients trying to connect to your DC send packages to your DC, the DC always has to reply to those machines and a lot of times it will do a broadcast to the entire domain which you will see on your fortigate.

What i normally did on a firewall generating a lot of noncense logs is to create a rule that will allow this type of traffic (which in a lot of cases is simple overhead) and not log it. This way you can at least keep your log clean..
0
 

Author Comment

by:amanadili
ID: 24820437
My knowledge of DNS is in its early stages.
What type of traffic am I supposed to be seeing? I thought the screen dump in the attachment would be the type of information you're after.
The DNS rule states ALLOW all traffic.

Could it be that the DNS needs configuring/re-configuring?
I am not an expert on DNS servers but these ones don't look too healthly.

What do you think?

Could there be some sort of DNS loop in our network creating unnecessary traffic?

DNS-Screen-Dumps.docx
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24820847
I don;t see anything strange to be honest...
Are you using DNS forwarding to external DNS servers for resolvance?? This being the 205.203.131.117??
Normally this is waht happens.. Your clients want to go to the internet, they send a request to your DNS server (which in most cases is your DHCP server), this DNS server will send a request to the internet for the resolvance of the ip address..  

E.g. You would like to go to www.google.com.. Then your server goes to the internet root server asking for the authorative DNS srver for google com.. Then, if your server receives that ip address, it will ask the authoritice DNS server of google for an ip address of a server it can connect to.

As you can see, a lot of DNS traffic will be generated originating from your DC.. Tbh i don;t see anything strange in the logging you send..
0
 

Author Comment

by:amanadili
ID: 24856485
Thanks for your feedback.
One final question...
How do I tell if DNS forwarding to external DNS servers is being used?

Thanks
0
 
LVL 23

Accepted Solution

by:
rhandels earned 500 total points
ID: 24856847
Hi,

Unfortenately i don;t have a DNS console in front of me now but all Microsoft DNS servers have root DNS servers set up. These are about 10 to 15 DNS root servers on the internet, if you don;t delete them and don;t configure some extra settings within your Microsoft DNS server it will use these root hint DNS servers.

Also a good way of telling this is if your computer has your internal DNS as it;s DNS server and you are able to browse external website. Because if you browse the internet, your DNS server needs to query external DNS servers for resolvance..
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now