Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmlux
New Contributor III

strange DNS traffic

Hello all,

 

We have noticed non-DNS traffic on port 53 from the Fortigate to the Internet (because we have another firewall between the Fortigate and the Internet ;) )

 

1.2.3.4 1798 208.91.112.196 53 udp flow from InternetTransit:1.2.3.4/1798 to Internet:208.91.112.196/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.

 

Wireshark shows this:

 

What is that??

10 REPLIES 10
Sylvia
Contributor II

Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.

Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".

Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.

 

Regards,

Sylvia

jmlux
New Contributor III

Sylvia wrote:

Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.

Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".

Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.

But we have that disabled anyway.

Ian_Harrison

Hi

 

Looks like you have disabled the push updates from Fortiguard to your device, however scheduled update requests from your device to Fortiguard are still enabled on port 53.  As mentioned you can change this to port 8888. 

 

Also the IP address 208.91.112.196 is in the range owned by Fortinet so probably one of their Fortiguard servers.  

 

Hope that helps

 

Ian 

Web: www.activatelearning.ac.uk Twitter: twitter.com/activate_learn Facebook: facebook.com/Activate-Learning
jmlux
New Contributor III

Ian Harrison wrote:

Looks like you have disabled the push updates from Fortiguard to your device, however scheduled update requests from your device to Fortiguard are still enabled on port 53.  As mentioned you can change this to port 8888.

It always seemed to me that the shown ports applied to the webfilter/emailfilter cache section and not to the updates. In any case, the updates are scheduled for every hour, the DNS queries (or should I say the data sent to Fortinet via the DNS port) are there permanently, not only every hour.

ede_pfau

Ports 53/udp and 8888/udp are indeed used for webfiltering and email (SPAM) filtering. This is not only confined to signature updates; if a webfilter is active each passing URL needs to be categorized. So there is a constant stream of data flowing out and in.

 

Historically, FortiOS used port 8888/udp to contact the Fortiguard servers (first contact will be to service.fortiguard.net to obtain the list of Fortiguard servers available). Then, especially if the FGT is deployed in transparent mode, upstream firewalls often blocked the high port. Thus the alternative "well known" port 53/udp as DNS requests are most likely (but not always) allowed out.

Nowadays, the upstream firewall may look into DNS traffic and block it as "non-standard" as it is in fact, non-DNS. Sigh.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
jmlux
New Contributor III

Ok, but as I have shown in the screenshot, nothing is enabled. So what could be the reason that there still is non-DNS traffic on port 53?

jmlux
New Contributor III

So noone have an idea what kind of info is transmitted via port 53 when potentially everything that could be a trigger to look something up with Fortinet Online Services is disabled?

jmlux
New Contributor III

I have found part of an answer: As soon as one of the policy rules has Antivirus enabled, then the strange UDP traffic is there. So it has nothing to do with updates indeed but it is some kind of live traffic stream to Fortinet servers.

It doesn't even seem to matter if Antivirus is set to flow- or proxy-based and what kind of traffic should be proxied.

 

Working with all these UTM features and what they entail unfortunately seems like info that is hard to come by....

localhost

I agree with ede_pfau.

Do you have a webfilter enabled on a firewall policy?

 

FG does a FortiGuard lookup, to get the categories for the websites you are visiting.

This will create exactly this constant stream of queries you see.

 

I'm not sure if "Detect Connections to Botnet C&C Servers" in the virus profile als queries the FortiGuard Service or it's just using the internal Virus DB.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors