Solved

DNS port 53 listed as bittorrent in firewall

Posted on 2010-09-02
7
1,141 Views
Last Modified: 2012-08-13
Our Fotigate Firewall occasionally lists the port 53 (dns) as bittorrent and due to rules blocks it. Thus shutting down internet access.  Any thoughts on how this is happening The problem came and left mistriously then just came back again.  Fortinet has yet to reply to my guestion.  thanks
0
Comment
Question by:Bill Doherty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Accepted Solution

by:
siht earned 125 total points
ID: 33593321
Is one of your users using bitorrent on the sly?
Most bittorrent clients allow you to set the ports it uses, perhaps a user has set a bittorrent client to use pore 53 but your firewall is smart enough to recognise the protocol.

That would explain the on and off nature of the issue.
0
 
LVL 6

Assisted Solution

by:Nuttycomputer
Nuttycomputer earned 125 total points
ID: 33593335
As siht said if your firewall rules are based on stateful inspection of the application layer (L7) then this port will occasionally be blocked for several reasons.

One is if as siht stated the user has purposefully set their torrent client to use port 53 but more likely it's because most torrent applications DO use port 53 to resolve names of trackers. I would recommend putting a rule at the top of your firewall list to explicitly allow DNS traffic so that the rule is processed before the bittorrent one.
0
 
LVL 2

Assisted Solution

by:fs40490
fs40490 earned 125 total points
ID: 33593374
Fortigates are application aware firewalls and many of the application aware firewalls will block traffic that is not supposed to be passing on proxied ports.  It sounds like the firewall actually is blocking all 53 traffic which dies not sound as though it is the correct action for the firewall to take.  If it is truly blocking traffic dynamically it should only block the traffic that is violating the policies while allowing other traffic to flow.

NuttyComputer does the Fortigate process rules from top to bottom or do they conduct a best match with regards to rules?  If they process top to bottom I agree that it will probably work putting an explicit rule at the top and I would not enable all of the extra checks.

If you have an internal DNS server that all of the clients point to, you should set up a rule that only accepts DNS from your internal DNS as an extra precaution.

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:Bill Doherty
ID: 33593430
Thank you all for the insight.  I suspct the fortigate is learning application as suggested by all and have tried the rule positioning as well for some reason once te fortigate labels the port 53 as bitorrent instead of dns it ignore the pass dns rule..  my work around is open or pass bittorent until i find the student smarter than me....  ;)

0
 
LVL 4

Assisted Solution

by:Whiterat
Whiterat earned 125 total points
ID: 33651250
Hi mwpai,

Is everyone using the same DNS servers?

If so try placing a policy above it with access to just those servers with the service set to DNS.

Since Fortigates work top to bottom it should it it earlier in the chain than the application filtering policy.

Thanks,
0
 
LVL 4

Expert Comment

by:Whiterat
ID: 33651257
Or edit the App control list and add DNS as pass above the one to block bittorrent.
0
 

Author Closing Comment

by:Bill Doherty
ID: 33770600
All expert advise was easily understood however they did not work as intended. Fortinet suggest i do an upgrade to which the problem may be resolved. I feel that the system is doig what it is designed to do, learn and adapt to changes that can degrade a system.  It is a case of someone staying ahead of the firewall.  What happens when users start using port 80 for programs? Will firewalls shut down everything?  It lookd that way....Thanks for the help, everyone!...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question