Solved

DNS firewall rule generating a lot of WAN traffic

Posted on 2009-07-08
5
744 Views
Last Modified: 2012-05-07
Why is the DNS firewall rule generating a lot of WAN traffic on a FortiGate 110c Firewall?

Our DC/DNS/DHCP Server is named JERRY and this is the server that's always the top talker.
The Firewall rule that always is identified is the DNS rule - Rule 27

Can anyone please offer any suggestions or possible adjustments I can make to reduce this load on the WAN thereby freeing it up for other WAN applications?

Thanks
WAN-Info.docx
0
Comment
Question by:amanadili
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24811159
First off, what traffic do you see generated?? Second, what does the rule state, allow this traffic or disallow this traffic??
You should keep in mind that TCP has a lot of overhead in it's communication.. Also, every DNS request that a normal client does goes to your DC/DNS server in the domain.. This server will forward all this traffic to internet root servers.. Also, All clients trying to connect to your DC send packages to your DC, the DC always has to reply to those machines and a lot of times it will do a broadcast to the entire domain which you will see on your fortigate.

What i normally did on a firewall generating a lot of noncense logs is to create a rule that will allow this type of traffic (which in a lot of cases is simple overhead) and not log it. This way you can at least keep your log clean..
0
 

Author Comment

by:amanadili
ID: 24820437
My knowledge of DNS is in its early stages.
What type of traffic am I supposed to be seeing? I thought the screen dump in the attachment would be the type of information you're after.
The DNS rule states ALLOW all traffic.

Could it be that the DNS needs configuring/re-configuring?
I am not an expert on DNS servers but these ones don't look too healthly.

What do you think?

Could there be some sort of DNS loop in our network creating unnecessary traffic?

DNS-Screen-Dumps.docx
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24820847
I don;t see anything strange to be honest...
Are you using DNS forwarding to external DNS servers for resolvance?? This being the 205.203.131.117??
Normally this is waht happens.. Your clients want to go to the internet, they send a request to your DNS server (which in most cases is your DHCP server), this DNS server will send a request to the internet for the resolvance of the ip address..  

E.g. You would like to go to www.google.com.. Then your server goes to the internet root server asking for the authorative DNS srver for google com.. Then, if your server receives that ip address, it will ask the authoritice DNS server of google for an ip address of a server it can connect to.

As you can see, a lot of DNS traffic will be generated originating from your DC.. Tbh i don;t see anything strange in the logging you send..
0
 

Author Comment

by:amanadili
ID: 24856485
Thanks for your feedback.
One final question...
How do I tell if DNS forwarding to external DNS servers is being used?

Thanks
0
 
LVL 23

Accepted Solution

by:
rhandels earned 500 total points
ID: 24856847
Hi,

Unfortenately i don;t have a DNS console in front of me now but all Microsoft DNS servers have root DNS servers set up. These are about 10 to 15 DNS root servers on the internet, if you don;t delete them and don;t configure some extra settings within your Microsoft DNS server it will use these root hint DNS servers.

Also a good way of telling this is if your computer has your internal DNS as it;s DNS server and you are able to browse external website. Because if you browse the internet, your DNS server needs to query external DNS servers for resolvance..
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question