Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 754
  • Last Modified:

DNS firewall rule generating a lot of WAN traffic

Why is the DNS firewall rule generating a lot of WAN traffic on a FortiGate 110c Firewall?

Our DC/DNS/DHCP Server is named JERRY and this is the server that's always the top talker.
The Firewall rule that always is identified is the DNS rule - Rule 27

Can anyone please offer any suggestions or possible adjustments I can make to reduce this load on the WAN thereby freeing it up for other WAN applications?

Thanks
WAN-Info.docx
0
amanadili
Asked:
amanadili
  • 3
  • 2
1 Solution
 
rhandelsCommented:
First off, what traffic do you see generated?? Second, what does the rule state, allow this traffic or disallow this traffic??
You should keep in mind that TCP has a lot of overhead in it's communication.. Also, every DNS request that a normal client does goes to your DC/DNS server in the domain.. This server will forward all this traffic to internet root servers.. Also, All clients trying to connect to your DC send packages to your DC, the DC always has to reply to those machines and a lot of times it will do a broadcast to the entire domain which you will see on your fortigate.

What i normally did on a firewall generating a lot of noncense logs is to create a rule that will allow this type of traffic (which in a lot of cases is simple overhead) and not log it. This way you can at least keep your log clean..
0
 
amanadiliAuthor Commented:
My knowledge of DNS is in its early stages.
What type of traffic am I supposed to be seeing? I thought the screen dump in the attachment would be the type of information you're after.
The DNS rule states ALLOW all traffic.

Could it be that the DNS needs configuring/re-configuring?
I am not an expert on DNS servers but these ones don't look too healthly.

What do you think?

Could there be some sort of DNS loop in our network creating unnecessary traffic?

DNS-Screen-Dumps.docx
0
 
rhandelsCommented:
I don;t see anything strange to be honest...
Are you using DNS forwarding to external DNS servers for resolvance?? This being the 205.203.131.117??
Normally this is waht happens.. Your clients want to go to the internet, they send a request to your DNS server (which in most cases is your DHCP server), this DNS server will send a request to the internet for the resolvance of the ip address..  

E.g. You would like to go to www.google.com.. Then your server goes to the internet root server asking for the authorative DNS srver for google com.. Then, if your server receives that ip address, it will ask the authoritice DNS server of google for an ip address of a server it can connect to.

As you can see, a lot of DNS traffic will be generated originating from your DC.. Tbh i don;t see anything strange in the logging you send..
0
 
amanadiliAuthor Commented:
Thanks for your feedback.
One final question...
How do I tell if DNS forwarding to external DNS servers is being used?

Thanks
0
 
rhandelsCommented:
Hi,

Unfortenately i don;t have a DNS console in front of me now but all Microsoft DNS servers have root DNS servers set up. These are about 10 to 15 DNS root servers on the internet, if you don;t delete them and don;t configure some extra settings within your Microsoft DNS server it will use these root hint DNS servers.

Also a good way of telling this is if your computer has your internal DNS as it;s DNS server and you are able to browse external website. Because if you browse the internet, your DNS server needs to query external DNS servers for resolvance..
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now