Solved

DNS port 53 listed as bittorrent in firewall

Posted on 2010-09-02
7
1,123 Views
Last Modified: 2012-08-13
Our Fotigate Firewall occasionally lists the port 53 (dns) as bittorrent and due to rules blocks it. Thus shutting down internet access.  Any thoughts on how this is happening The problem came and left mistriously then just came back again.  Fortinet has yet to reply to my guestion.  thanks
0
Comment
Question by:mwpai
7 Comments
 
LVL 6

Accepted Solution

by:
siht earned 125 total points
ID: 33593321
Is one of your users using bitorrent on the sly?
Most bittorrent clients allow you to set the ports it uses, perhaps a user has set a bittorrent client to use pore 53 but your firewall is smart enough to recognise the protocol.

That would explain the on and off nature of the issue.
0
 
LVL 6

Assisted Solution

by:Nuttycomputer
Nuttycomputer earned 125 total points
ID: 33593335
As siht said if your firewall rules are based on stateful inspection of the application layer (L7) then this port will occasionally be blocked for several reasons.

One is if as siht stated the user has purposefully set their torrent client to use port 53 but more likely it's because most torrent applications DO use port 53 to resolve names of trackers. I would recommend putting a rule at the top of your firewall list to explicitly allow DNS traffic so that the rule is processed before the bittorrent one.
0
 
LVL 2

Assisted Solution

by:fs40490
fs40490 earned 125 total points
ID: 33593374
Fortigates are application aware firewalls and many of the application aware firewalls will block traffic that is not supposed to be passing on proxied ports.  It sounds like the firewall actually is blocking all 53 traffic which dies not sound as though it is the correct action for the firewall to take.  If it is truly blocking traffic dynamically it should only block the traffic that is violating the policies while allowing other traffic to flow.

NuttyComputer does the Fortigate process rules from top to bottom or do they conduct a best match with regards to rules?  If they process top to bottom I agree that it will probably work putting an explicit rule at the top and I would not enable all of the extra checks.

If you have an internal DNS server that all of the clients point to, you should set up a rule that only accepts DNS from your internal DNS as an extra precaution.

0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:mwpai
ID: 33593430
Thank you all for the insight.  I suspct the fortigate is learning application as suggested by all and have tried the rule positioning as well for some reason once te fortigate labels the port 53 as bitorrent instead of dns it ignore the pass dns rule..  my work around is open or pass bittorent until i find the student smarter than me....  ;)

0
 
LVL 4

Assisted Solution

by:Whiterat
Whiterat earned 125 total points
ID: 33651250
Hi mwpai,

Is everyone using the same DNS servers?

If so try placing a policy above it with access to just those servers with the service set to DNS.

Since Fortigates work top to bottom it should it it earlier in the chain than the application filtering policy.

Thanks,
0
 
LVL 4

Expert Comment

by:Whiterat
ID: 33651257
Or edit the App control list and add DNS as pass above the one to block bittorrent.
0
 

Author Closing Comment

by:mwpai
ID: 33770600
All expert advise was easily understood however they did not work as intended. Fortinet suggest i do an upgrade to which the problem may be resolved. I feel that the system is doig what it is designed to do, learn and adapt to changes that can degrade a system.  It is a case of someone staying ahead of the firewall.  What happens when users start using port 80 for programs? Will firewalls shut down everything?  It lookd that way....Thanks for the help, everyone!...
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS Connector Delivery 5 79
Can't ping New Linux Servers 40 90
Powershell command 2 37
DNS server picking up wrong IP address of server 10 61
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question