Solved

DNS port 53 listed as bittorrent in firewall

Posted on 2010-09-02
7
1,103 Views
Last Modified: 2012-08-13
Our Fotigate Firewall occasionally lists the port 53 (dns) as bittorrent and due to rules blocks it. Thus shutting down internet access.  Any thoughts on how this is happening The problem came and left mistriously then just came back again.  Fortinet has yet to reply to my guestion.  thanks
0
Comment
Question by:mwpai
7 Comments
 
LVL 6

Accepted Solution

by:
siht earned 125 total points
ID: 33593321
Is one of your users using bitorrent on the sly?
Most bittorrent clients allow you to set the ports it uses, perhaps a user has set a bittorrent client to use pore 53 but your firewall is smart enough to recognise the protocol.

That would explain the on and off nature of the issue.
0
 
LVL 6

Assisted Solution

by:Nuttycomputer
Nuttycomputer earned 125 total points
ID: 33593335
As siht said if your firewall rules are based on stateful inspection of the application layer (L7) then this port will occasionally be blocked for several reasons.

One is if as siht stated the user has purposefully set their torrent client to use port 53 but more likely it's because most torrent applications DO use port 53 to resolve names of trackers. I would recommend putting a rule at the top of your firewall list to explicitly allow DNS traffic so that the rule is processed before the bittorrent one.
0
 
LVL 2

Assisted Solution

by:fs40490
fs40490 earned 125 total points
ID: 33593374
Fortigates are application aware firewalls and many of the application aware firewalls will block traffic that is not supposed to be passing on proxied ports.  It sounds like the firewall actually is blocking all 53 traffic which dies not sound as though it is the correct action for the firewall to take.  If it is truly blocking traffic dynamically it should only block the traffic that is violating the policies while allowing other traffic to flow.

NuttyComputer does the Fortigate process rules from top to bottom or do they conduct a best match with regards to rules?  If they process top to bottom I agree that it will probably work putting an explicit rule at the top and I would not enable all of the extra checks.

If you have an internal DNS server that all of the clients point to, you should set up a rule that only accepts DNS from your internal DNS as an extra precaution.

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:mwpai
ID: 33593430
Thank you all for the insight.  I suspct the fortigate is learning application as suggested by all and have tried the rule positioning as well for some reason once te fortigate labels the port 53 as bitorrent instead of dns it ignore the pass dns rule..  my work around is open or pass bittorent until i find the student smarter than me....  ;)

0
 
LVL 4

Assisted Solution

by:Whiterat
Whiterat earned 125 total points
ID: 33651250
Hi mwpai,

Is everyone using the same DNS servers?

If so try placing a policy above it with access to just those servers with the service set to DNS.

Since Fortigates work top to bottom it should it it earlier in the chain than the application filtering policy.

Thanks,
0
 
LVL 4

Expert Comment

by:Whiterat
ID: 33651257
Or edit the App control list and add DNS as pass above the one to block bittorrent.
0
 

Author Closing Comment

by:mwpai
ID: 33770600
All expert advise was easily understood however they did not work as intended. Fortinet suggest i do an upgrade to which the problem may be resolved. I feel that the system is doig what it is designed to do, learn and adapt to changes that can degrade a system.  It is a case of someone staying ahead of the firewall.  What happens when users start using port 80 for programs? Will firewalls shut down everything?  It lookd that way....Thanks for the help, everyone!...
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now