Solved

DNS port 53 listed as bittorrent in firewall

Posted on 2010-09-02
7
1,130 Views
Last Modified: 2012-08-13
Our Fotigate Firewall occasionally lists the port 53 (dns) as bittorrent and due to rules blocks it. Thus shutting down internet access.  Any thoughts on how this is happening The problem came and left mistriously then just came back again.  Fortinet has yet to reply to my guestion.  thanks
0
Comment
Question by:mwpai
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Accepted Solution

by:
siht earned 125 total points
ID: 33593321
Is one of your users using bitorrent on the sly?
Most bittorrent clients allow you to set the ports it uses, perhaps a user has set a bittorrent client to use pore 53 but your firewall is smart enough to recognise the protocol.

That would explain the on and off nature of the issue.
0
 
LVL 6

Assisted Solution

by:Nuttycomputer
Nuttycomputer earned 125 total points
ID: 33593335
As siht said if your firewall rules are based on stateful inspection of the application layer (L7) then this port will occasionally be blocked for several reasons.

One is if as siht stated the user has purposefully set their torrent client to use port 53 but more likely it's because most torrent applications DO use port 53 to resolve names of trackers. I would recommend putting a rule at the top of your firewall list to explicitly allow DNS traffic so that the rule is processed before the bittorrent one.
0
 
LVL 2

Assisted Solution

by:fs40490
fs40490 earned 125 total points
ID: 33593374
Fortigates are application aware firewalls and many of the application aware firewalls will block traffic that is not supposed to be passing on proxied ports.  It sounds like the firewall actually is blocking all 53 traffic which dies not sound as though it is the correct action for the firewall to take.  If it is truly blocking traffic dynamically it should only block the traffic that is violating the policies while allowing other traffic to flow.

NuttyComputer does the Fortigate process rules from top to bottom or do they conduct a best match with regards to rules?  If they process top to bottom I agree that it will probably work putting an explicit rule at the top and I would not enable all of the extra checks.

If you have an internal DNS server that all of the clients point to, you should set up a rule that only accepts DNS from your internal DNS as an extra precaution.

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mwpai
ID: 33593430
Thank you all for the insight.  I suspct the fortigate is learning application as suggested by all and have tried the rule positioning as well for some reason once te fortigate labels the port 53 as bitorrent instead of dns it ignore the pass dns rule..  my work around is open or pass bittorent until i find the student smarter than me....  ;)

0
 
LVL 4

Assisted Solution

by:Whiterat
Whiterat earned 125 total points
ID: 33651250
Hi mwpai,

Is everyone using the same DNS servers?

If so try placing a policy above it with access to just those servers with the service set to DNS.

Since Fortigates work top to bottom it should it it earlier in the chain than the application filtering policy.

Thanks,
0
 
LVL 4

Expert Comment

by:Whiterat
ID: 33651257
Or edit the App control list and add DNS as pass above the one to block bittorrent.
0
 

Author Closing Comment

by:mwpai
ID: 33770600
All expert advise was easily understood however they did not work as intended. Fortinet suggest i do an upgrade to which the problem may be resolved. I feel that the system is doig what it is designed to do, learn and adapt to changes that can degrade a system.  It is a case of someone staying ahead of the firewall.  What happens when users start using port 80 for programs? Will firewalls shut down everything?  It lookd that way....Thanks for the help, everyone!...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Add or change DNS server address used by OpenVPN software 5 54
Exchange 2010 Autodiscover for iOS devices 4 72
DNS Config for External Mail 3 30
Company website 6 50
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question