Skip to main content
ISOffice
ISOffice
New Member
December 19, 2016
Solved

Mis-Categorisation of DNS Requests

  • December 19, 2016
  • 2 replies
  • 13773 views

Setup = 2 X FortiGate 100D Hardware Appliances (Active Passive) v5.2.8, build 727. NAT Mode.

Hi all,

We are experiencing a strange situation here and I was wondering if anyone had experienced something similar.

We are seeing entries in traffic logs which indicate DNS requests being made to the online FortiNet DNS Servers (208.91.112.53 & 208.91.112.52) from network clients. Nothing unusual there, but the Application Name being returned in the log entries is not DNS as expected but, WhatsApp & WhatsApp_File.Transfer.

 

 

Has anyone any suggestion as to why these DNS requests are being mis-classified in this way?

 

Many thanks,

 

John P

 

Best answer by ede_pfau

Not seen this before but you should open a ticket with Support so that the FortiGuard team is notified.

2 replies

ede_pfau
SuperUser
ede_pfauAnswer
SuperUser
December 19, 2016

Not seen this before but you should open a ticket with Support so that the FortiGuard team is notified.

ISOffice
ISOfficeAuthor
New Member
December 19, 2016

Many thanks ede_pfau,

 

I will bear that in mind and will post any answers that FortiNet supply.

 

Best regards,

 

John P

SCSIraidGURU
SCSIraidGURU
New Member
December 19, 2016

On my 60E, DNS throws IP Connection errors and other errors in the logs.   I think that the Fortigate IOS has problems properly resolving DNS inbound packets.  I have a ticket open. 

ISOffice
ISOfficeAuthor
New Member
December 19, 2016

Hi SC,

 

Thank you for your contribution. I'm not seeing any errors as such in the logs, just a mis-categorisation of the application carrying out DNS requests. I also have a ticket open with FortiNet Support. Will post any developments.

 

Best regards,

 

John P

ISOffice
ISOfficeAuthor
New Member
December 20, 2016

Hi all,

To demonstrate the issue we are having, here are extracts from Application Control & Traffic Logs showing requests from the same source IP (trust me, they are all from the same source IP) to the same destination IP on port 53. However, they are categorised differently: Application Control Log itime=1482176396 date=2016-12-19 time=19:39:56 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxx logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=28057 user="" srcip=XX.XX.XX.XX srcport=60631 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" proto=17 service="NIA-PrivateServices" policyid=7 sessionid=263863845 applist="AppControlPrivate" appcat="Collaboration" app="WhatsApp" action=pass msg="Collaboration: WhatsApp," apprisk=elevated itime=1482176913 date=2016-12-19 time=19:48:33 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxx logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=16195 user="" srcip=XX.XX.XX.XX srcport=53728 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" proto=17 service="NIA-PrivateServices" policyid=7 sessionid=263866472 applist="AppControlPrivate" appcat="Network.Service" app="DNS" action=pass msg="Network.Service: DNS," apprisk=elevated Traffic Log itime=1482176578 date=2016-12-19 time=19:42:58 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxx logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=XX.XX.XX.XX srcport=60631 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" poluuid=70966c68-5552-51e4-c995-1d5a53690c73 sessionid=263863845 proto=17 action=accept policyid=7 dstcountry="Canada" srccountry="Reserved" trandisp=snat transip=XX.XX.XX.XX transport=60631 service="NIA-PrivateServices" appid=28057 app="WhatsApp" appcat="Collaboration" apprisk=elevated applist="AppControlPrivate" appact=detected duration=181 sentbyte=61 rcvdbyte=336 sentpkt=1 rcvdpkt=1 utmaction=allow countapp=1 itime=1482177094 date=2016-12-19 time=19:51:34 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxxlogid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=XX.XX.XX.XX srcport=60074 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" poluuid=70966c68-5552-51e4-c995-1d5a53690c73 sessionid=263866471 proto=17 action=accept policyid=7 dstcountry="Canada" srccountry="Reserved" trandisp=snat transip=XX.XX.XX.XX transport=60074 service="NIA-PrivateServices" appid=16195 app="DNS" appcat="Network.Service" apprisk=elevated applist="AppControlPrivate" appact=detected duration=181 sentbyte=84 rcvdbyte=485 sentpkt=1 rcvdpkt=1 utmaction=allow countapp=1 I'm awaiting word back from FortiNet Support. Will post any developments.

 

Many thanks, John P

Terms & ConditionsAccessibility statement