DotW: DNS as a Top Application
Resolution
User 'jharlow' had a question about DNS showing up as a top application with web-browsing being second. In a one hour period, he was observing 27,700 DNS and 24,100 web-browsing sessions. He was thinking that they
had their own internal DNS server and wondered why he was getting so many sessions showing up?
The reason that this happens is because web pages are more complex today. In today's world, web pages can contain many parts, as shown below:
- Images hosted on other domains/sites
- Social Media plugins like Facebook and Twitter to share and like items
- Website Advertising
- External links for content distribution
- Website analytics
Every one of these parts not only perform a DNS lookup, but can pull content from those other domains/sites, generating a huge amount of traffic for a small number of legitimate website visits.
In my experience, when DNS traffic is so active on your network, you are going to end up with DNS as the most active application talking through your firewall. In almost every case, it is fine creating a separate outbound rule for DNS traffic using its default port (application-default) and turning off logging for that rule. To remain protected, I recommend that you enable a security profile to catch any malicious traffic, viruses and so forth.
To view the discussion, please visit the following link:
As always, I welcome any comments or suggestions for live.paloaltonetworks.com, so please comment below!
Thanks for reading.
Joe Delio