Solved

DNS firewall rule generating a lot of WAN traffic

Posted on 2009-07-08
5
747 Views
Last Modified: 2012-05-07
Why is the DNS firewall rule generating a lot of WAN traffic on a FortiGate 110c Firewall?

Our DC/DNS/DHCP Server is named JERRY and this is the server that's always the top talker.
The Firewall rule that always is identified is the DNS rule - Rule 27

Can anyone please offer any suggestions or possible adjustments I can make to reduce this load on the WAN thereby freeing it up for other WAN applications?

Thanks
WAN-Info.docx
0
Comment
Question by:amanadili
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24811159
First off, what traffic do you see generated?? Second, what does the rule state, allow this traffic or disallow this traffic??
You should keep in mind that TCP has a lot of overhead in it's communication.. Also, every DNS request that a normal client does goes to your DC/DNS server in the domain.. This server will forward all this traffic to internet root servers.. Also, All clients trying to connect to your DC send packages to your DC, the DC always has to reply to those machines and a lot of times it will do a broadcast to the entire domain which you will see on your fortigate.

What i normally did on a firewall generating a lot of noncense logs is to create a rule that will allow this type of traffic (which in a lot of cases is simple overhead) and not log it. This way you can at least keep your log clean..
0
 

Author Comment

by:amanadili
ID: 24820437
My knowledge of DNS is in its early stages.
What type of traffic am I supposed to be seeing? I thought the screen dump in the attachment would be the type of information you're after.
The DNS rule states ALLOW all traffic.

Could it be that the DNS needs configuring/re-configuring?
I am not an expert on DNS servers but these ones don't look too healthly.

What do you think?

Could there be some sort of DNS loop in our network creating unnecessary traffic?

DNS-Screen-Dumps.docx
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24820847
I don;t see anything strange to be honest...
Are you using DNS forwarding to external DNS servers for resolvance?? This being the 205.203.131.117??
Normally this is waht happens.. Your clients want to go to the internet, they send a request to your DNS server (which in most cases is your DHCP server), this DNS server will send a request to the internet for the resolvance of the ip address..  

E.g. You would like to go to www.google.com.. Then your server goes to the internet root server asking for the authorative DNS srver for google com.. Then, if your server receives that ip address, it will ask the authoritice DNS server of google for an ip address of a server it can connect to.

As you can see, a lot of DNS traffic will be generated originating from your DC.. Tbh i don;t see anything strange in the logging you send..
0
 

Author Comment

by:amanadili
ID: 24856485
Thanks for your feedback.
One final question...
How do I tell if DNS forwarding to external DNS servers is being used?

Thanks
0
 
LVL 23

Accepted Solution

by:
rhandels earned 500 total points
ID: 24856847
Hi,

Unfortenately i don;t have a DNS console in front of me now but all Microsoft DNS servers have root DNS servers set up. These are about 10 to 15 DNS root servers on the internet, if you don;t delete them and don;t configure some extra settings within your Microsoft DNS server it will use these root hint DNS servers.

Also a good way of telling this is if your computer has your internal DNS as it;s DNS server and you are able to browse external website. Because if you browse the internet, your DNS server needs to query external DNS servers for resolvance..
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question