Solved

DNS firewall rule generating a lot of WAN traffic

Posted on 2009-07-08
5
749 Views
Last Modified: 2012-05-07
Why is the DNS firewall rule generating a lot of WAN traffic on a FortiGate 110c Firewall?

Our DC/DNS/DHCP Server is named JERRY and this is the server that's always the top talker.
The Firewall rule that always is identified is the DNS rule - Rule 27

Can anyone please offer any suggestions or possible adjustments I can make to reduce this load on the WAN thereby freeing it up for other WAN applications?

Thanks
WAN-Info.docx
0
Comment
Question by:amanadili
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24811159
First off, what traffic do you see generated?? Second, what does the rule state, allow this traffic or disallow this traffic??
You should keep in mind that TCP has a lot of overhead in it's communication.. Also, every DNS request that a normal client does goes to your DC/DNS server in the domain.. This server will forward all this traffic to internet root servers.. Also, All clients trying to connect to your DC send packages to your DC, the DC always has to reply to those machines and a lot of times it will do a broadcast to the entire domain which you will see on your fortigate.

What i normally did on a firewall generating a lot of noncense logs is to create a rule that will allow this type of traffic (which in a lot of cases is simple overhead) and not log it. This way you can at least keep your log clean..
0
 

Author Comment

by:amanadili
ID: 24820437
My knowledge of DNS is in its early stages.
What type of traffic am I supposed to be seeing? I thought the screen dump in the attachment would be the type of information you're after.
The DNS rule states ALLOW all traffic.

Could it be that the DNS needs configuring/re-configuring?
I am not an expert on DNS servers but these ones don't look too healthly.

What do you think?

Could there be some sort of DNS loop in our network creating unnecessary traffic?

DNS-Screen-Dumps.docx
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24820847
I don;t see anything strange to be honest...
Are you using DNS forwarding to external DNS servers for resolvance?? This being the 205.203.131.117??
Normally this is waht happens.. Your clients want to go to the internet, they send a request to your DNS server (which in most cases is your DHCP server), this DNS server will send a request to the internet for the resolvance of the ip address..  

E.g. You would like to go to www.google.com.. Then your server goes to the internet root server asking for the authorative DNS srver for google com.. Then, if your server receives that ip address, it will ask the authoritice DNS server of google for an ip address of a server it can connect to.

As you can see, a lot of DNS traffic will be generated originating from your DC.. Tbh i don;t see anything strange in the logging you send..
0
 

Author Comment

by:amanadili
ID: 24856485
Thanks for your feedback.
One final question...
How do I tell if DNS forwarding to external DNS servers is being used?

Thanks
0
 
LVL 23

Accepted Solution

by:
rhandels earned 500 total points
ID: 24856847
Hi,

Unfortenately i don;t have a DNS console in front of me now but all Microsoft DNS servers have root DNS servers set up. These are about 10 to 15 DNS root servers on the internet, if you don;t delete them and don;t configure some extra settings within your Microsoft DNS server it will use these root hint DNS servers.

Also a good way of telling this is if your computer has your internal DNS as it;s DNS server and you are able to browse external website. Because if you browse the internet, your DNS server needs to query external DNS servers for resolvance..
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question