Figure 41: UDP service ports for DNS
This section discusses some of the questions that users often have about service port ACLs and port rate limit thresholds.
Ports 0-1023 are assigned by IANA to well known services. For example, UDP port 53 is assigned to DNS. When you configure ACL or threshold rules for well known UDP services in the 0-1023 range, configure rules for the IANA-assigned port. You do not configure rules for the associated, unassigned ports used by the client (these are numbered above 1023). For example, for DNS, configure an inbound rule for port 53 and outbound rule for port 53.
The user interface label for the ACL service setting shows "Destination Port." This is misleading. Beginning with release 4.1.6, the UDP service is identified when either the source or destination port is the well known port. The inbound and outbound traffic shown in Figure 41, for example, is identified as port 53 (DNS) traffic.
For an ACL deny rule, UDP service identification means the packets are denied if either the source port or the destination port matches the well known port. If you use an ACL policy to deny port 53, you are denying all DNS service traffic in the direction specified in your rule. If you want to deny inbound DNS service to an SPP, but the SPP has internal clients making outbound DNS queries to resolve addresses, we recommend that you not use the ACL (which would result in inbound DNS response traffic being dropped).
Instead, we recommend that you use rate limiting thresholds that allow inbound responses to outbound queries but at low rates to prevent DNS floods. You can set a low inbound threshold for DNS (UDP port 53) rather than deny inbound DNS service. The system recommended thresholds will set limits consistent with your baseline traffic. If you set user-defined thresholds for UDP ports, keep in mind these guidelines on how FortiDDoS tracks UDP service traffic. The inbound and outbound packet counters are incremented when traffic for the service is identified (by either source or destination port). Think of it as a service rate limit rather than a port rate limit.
The most active source outbound threshold and UDP port 0 -1023 outbound threshold is set to a higher value as per system recommendation.