- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Mis-Categorisation of DNS Requests
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mis-Categorisation of DNS Requests
Setup = 2 X FortiGate 100D Hardware Appliances (Active Passive) v5.2.8, build 727. NAT Mode.
Hi all,
We are experiencing a strange situation here and I was wondering if anyone had experienced something similar.
We are seeing entries in traffic logs which indicate DNS requests being made to the online FortiNet DNS Servers (208.91.112.53 & 208.91.112.52) from network clients. Nothing unusual there, but the Application Name being returned in the log entries is not DNS as expected but, WhatsApp & WhatsApp_File.Transfer.
Has anyone any suggestion as to why these DNS requests are being mis-classified in this way?
Many thanks,
John P
Solved! Go to Solution.
Labels:
- Labels:
-
5.2
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not seen this before but you should open a ticket with Support so that the FortiGuard team is notified.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They are Proto=17 or UDP.
I am wondering what the diag traffic for dstport=53 or dnsproxy would show as the return packet. We noticed an issue with my IP Connection Error on DNS when I enabled all session logging on the interfaces.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not seen this before but you should open a ticket with Support so that the FortiGuard team is notified.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks ede_pfau,
I will bear that in mind and will post any answers that FortiNet supply.
Best regards,
John P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On my 60E, DNS throws IP Connection errors and other errors in the logs. I think that the Fortigate IOS has problems properly resolving DNS inbound packets. I have a ticket open.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SC,
Thank you for your contribution. I'm not seeing any errors as such in the logs, just a mis-categorisation of the application carrying out DNS requests. I also have a ticket open with FortiNet Support. Will post any developments.
Best regards,
John P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
To demonstrate the issue we are having, here are extracts from Application Control & Traffic Logs showing requests from the same source IP (trust me, they are all from the same source IP) to the same destination IP on port 53. However, they are categorised differently: Application Control Log itime=1482176396 date=2016-12-19 time=19:39:56 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxx logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=28057 user="" srcip=XX.XX.XX.XX srcport=60631 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" proto=17 service="NIA-PrivateServices" policyid=7 sessionid=263863845 applist="AppControlPrivate" appcat="Collaboration" app="WhatsApp" action=pass msg="Collaboration: WhatsApp," apprisk=elevated itime=1482176913 date=2016-12-19 time=19:48:33 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxx logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=16195 user="" srcip=XX.XX.XX.XX srcport=53728 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" proto=17 service="NIA-PrivateServices" policyid=7 sessionid=263866472 applist="AppControlPrivate" appcat="Network.Service" app="DNS" action=pass msg="Network.Service: DNS," apprisk=elevated Traffic Log itime=1482176578 date=2016-12-19 time=19:42:58 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxx logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=XX.XX.XX.XX srcport=60631 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" poluuid=70966c68-5552-51e4-c995-1d5a53690c73 sessionid=263863845 proto=17 action=accept policyid=7 dstcountry="Canada" srccountry="Reserved" trandisp=snat transip=XX.XX.XX.XX transport=60631 service="NIA-PrivateServices" appid=28057 app="WhatsApp" appcat="Collaboration" apprisk=elevated applist="AppControlPrivate" appact=detected duration=181 sentbyte=61 rcvdbyte=336 sentpkt=1 rcvdpkt=1 utmaction=allow countapp=1 itime=1482177094 date=2016-12-19 time=19:51:34 devname=Fortigate-B23 devid=FG100Dxxxxxxxxxxlogid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=XX.XX.XX.XX srcport=60074 srcintf="Wireless_Priv" dstip=208.91.112.53 dstport=53 dstintf="wan1" poluuid=70966c68-5552-51e4-c995-1d5a53690c73 sessionid=263866471 proto=17 action=accept policyid=7 dstcountry="Canada" srccountry="Reserved" trandisp=snat transip=XX.XX.XX.XX transport=60074 service="NIA-PrivateServices" appid=16195 app="DNS" appcat="Network.Service" apprisk=elevated applist="AppControlPrivate" appact=detected duration=181 sentbyte=84 rcvdbyte=485 sentpkt=1 rcvdpkt=1 utmaction=allow countapp=1 I'm awaiting word back from FortiNet Support. Will post any developments.
Many thanks, John P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They are Proto=17 or UDP.
I am wondering what the diag traffic for dstport=53 or dnsproxy would show as the return packet. We noticed an issue with my IP Connection Error on DNS when I enabled all session logging on the interfaces.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Just a quick update in relation to this. FortiNet Support came back to me and stated:
"DNS traffic that originates in different applications can be identified as that application (so DNS traffic from WhatsApp will be identified as WhatsApp), but it varies depending on the application and what application signatures the FortiGate knows. Also, as multiple applications can run DNS requests, you can have multiple packets on UDP port 53 that the FortiGate will interpret as different applications based on what application it originated in."
This reads to me that there is very little that can be done in relation to this issue, just have to suck it up!
John P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I solved my IP Connection Error issue. The Windows 7 workstation was sending DNS request for two Microsoft Teredo servers. I blocked them in DNS filters. We found them doing a sniffer on port 53. diag sniffer packet any 'host xx.xx.xx.xx and port 53' 6. xx.xx.xx.xx is your wan port. Did they do a similar sniffer for you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SCSIraidGURU,
As far as I know they didn't carry out any sniffer testing, I just uploaded a copy of our configuration to them. My issue is that DNS requests are being mis-classified as other applications (WhatsApp, WhatsApp_File.Transfer, Sophos.Update & Opera.Turbo being the main culprits). FortiNet Support didn't offer any suggestions as to how this may be addressed, so it looks like something we'll have to live with.
Happy to hear you resolved your issue though.
Many thanks,
John P
Related Posts
- Fortigate 200E HIGH CPU USAGE -... 113 Views
- Requesting help selecting transceivers 138 Views
- Discontinuation of FCNSP ERC codes for... 138 Views
- Request for Site Access via Specific... 1056 Views
- What is the purpose of the... 216 Views
Labels
-
FortiGate
6,415 -
FortiClient
1,279 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
407 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
238 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
61 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
43 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
37 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Routing
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.