Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiAdam
Contributor II

Run DNS server or allow DNS requests to traverse security zones?

I recently helped a customer go from a completely flat network into a segmented network.  They only have one DNS server which sits on their server network.  I'm finding that over half of my sessions are related to DNS queries coming from clients on other networks trying to get to the server network.  

 

Does it make more sense for me to run a DNS server on the firewall and forward DNS queries or should I continue to let DNS traffic traverse the firewall?

 

I'm running a 300c on 5.0.7 and averaging around 15k sessions during peak usage.  In the current setup it often peaks out the CPU but memory stays around 40%.  

1 Solution
ede_pfau
Esteemed Contributor III

You could shorten DNS session life to reduce the session table size.

This will

   1. reduce the number of DNS sessions at any time, thus reduce memory usage

   2. increase CPU load as more build-up/tear-down action is needed

 

If you look at the session table of your FGT you will probably see DNS sessions with a life span up to 600 seconds, the default. I'd say that DNS sessions would not have to live longer than 1 minute or so.

 

You might experiment with this, in off-peak hours of course. The session lifetime is set in the CLI.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
emnoc
Esteemed Contributor III

Regardless if it's handled by the fortigate or sent to the server DNS, it's still a session  by all means

As far as 15K dns session per peak hours that seems odd.

 

Have you  track these sessions to see if;

they are valid

infect host

count the number of nxdomain

ensured nothing is inffected

etc..

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FortiAdam
Contributor II

Sorry I should have been more specific with the session count.  15k was my overall average, not just DNS sessions.  From 1p-2p today I had 175318 DNS sessions compared to 139371 HTTP sessions.  

My faulty logic lead me to believe that running a DNS server on the firewall for each interface would keep me from having open DNS sessions but apparently that isn't the case?

emnoc
Esteemed Contributor III

My faulty logic lead me to believe that running a DNS server on the firewall for each interface would keep me from having open DNS sessions but apparently that isn't the case?

 

Will yes, it's a local policy and policy-id0  is the match

 

Also the fortigate would generate 2 policies for local client using the fortigate for a lookup

 

 

 

Leg1: client to  FGT ( name-server )

 

Leg2: FGT to external name-server

(for the recursive lookup )

 

So no matter if you route across a interface or server locally, you will always have a session.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

You could shorten DNS session life to reduce the session table size.

This will

   1. reduce the number of DNS sessions at any time, thus reduce memory usage

   2. increase CPU load as more build-up/tear-down action is needed

 

If you look at the session table of your FGT you will probably see DNS sessions with a life span up to 600 seconds, the default. I'd say that DNS sessions would not have to live longer than 1 minute or so.

 

You might experiment with this, in off-peak hours of course. The session lifetime is set in the CLI.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Mark_Oakton
Contributor

I would suggest not having the firewall act as the dns server, either allow traffic out and dont log or use a separate dns service (FortiDNS)

Infosec Partners
Infosec Partners
Labels
Top Kudoed Authors