Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npaiva
Staff
Staff

Created on ‎10-14-2024 05:03 AM

Article Id 349212

Technical Tip: DNS Filter grouping two different queries on the same log

Description

 

This article describes an occurrence that will make FortiOS group two DNS queries under the same traffic log when using DNS Filter.

 

Scope

 

FortiOS.

 

Solution

 

In this case the host is sending two DNS queries over the same session.
It is sending a query for outlook.com and devcisco.com (malicious domain) using the same source port, over a short period of time.

Example using a packet capture:

 

Frame 9997: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Dec 15, 2023 10:22:41.933096000 GMT Standard Time
Ethernet II, Src: 1a:c4:41:39:50:12 (1a:c4:41:39:50:12), Dst: Fortinet_09:00:06 (00:09:0f:09:00:06)
Internet Protocol Version 4, Src: 192.168.123.123, Dst: 8.8.8.8
User Datagram Protocol, Src Port: 22833, Dst Port: 53
Source Port: 22833
Destination Port: 53
Length: 38
Checksum: 0xe0bd [unverified]
[Checksum Status: Unverified]
[Stream index: 6]
[Timestamps]
UDP payload (30 bytes)
Domain Name System (query)
Transaction ID: 0x0abe
Flags: 0x0100 Standard query
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
devcisco.com: type A, class IN
[Response In: 10001]


Frame 9877: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Dec 15, 2023 10:22:32.348831000 GMT Standard Time
Ethernet II, Src: 1a:c4:41:39:50:12 (1a:c4:41:39:50:12), Dst: Fortinet_09:00:06 (00:09:0f:09:00:06)
Internet Protocol Version 4, Src: 192.168.123.123, Dst: 8.8.8.8
User Datagram Protocol, Src Port: 22833, Dst Port: 53
Source Port: 22833
Destination Port: 53
Length: 48
Checksum: 0xa9ce [unverified]
[Checksum Status: Unverified]
[Stream index: 6]
[Timestamps]
UDP payload (40 bytes)
Domain Name System (query)
Transaction ID: 0x0aa4
Flags: 0x0100 Standard query
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
protection.outlook.com: type AAAA, class IN
[Response In: 9878]


For frame 9877, the reply came from 8.8.8.8 in frame 9878 (not blocked), and for frame 9997, the answer is on frame 10001 from FortiGuard (blocked).

 

Answers
devcisco.com: type A, class IN, addr 208.91.112.55
Name: devcisco.com
Type: A (Host Address) (1)

 

It is possible to see the host is sending two different queries using the same source port 22833, just 9 seconds apart.
This will make the query hit the same session on the FortiGate, and both queries will be on the same log event.
On FortiOS logview, this log will appear as 'blocked' because the traffic log always records the 'utmaction' field with the most severe UTM action when multiple UTM events happen on the same session.

169
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.