This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[INFO-852] Intrusion Prevention Alert (Packet dropped) in combination with DNS forwarding

I know that there are some topics around this, but most of them are a little bit older.

At one customer I am getting the above IPS notifications because something is trying to resolve a .win top level domain. What I do not understand is why the IPS is catching this and not ATP. Source of the blocked packet is the domain controller in the internal network, the destination was 1) the UTM, 2) one of the root hint servers and 3) another root hint.

The DNS configuration is configured as follows: forwarding server of the internal DNS servers is the UTM, on the UTM no outside DNS-servers are configured, it uses the root hint servers. The checkbox "use root..." in the windows DNS servers forwarding tab is selected, but I would have interpreted it like "use only if NO forwarding...".

So my questions are:

  • why does IPS concern about it and not ATP?
  • THAT the UTM blocks the .win lookup is OK, but why does that result in the DNS server trying it for itself?


This thread was automatically locked due to age.
  • I am seeing similar warnings, once per day, somewhere around 3am.   I have concluded that the DNS servers are refreshing their top-level root pointers, and the alert can be ignored.

  • ATP blocks show up in several (at least two) different log files.  These DNS queries are for TLDs that are deemed "dangerous" by ATP.  You both already know that the real source of the query is likely an infected client of the DC, but others might not recognize that immediately.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob sure it is a DNS query that is handled by the DNS server, but why is it treated as an incoming attack (IPS) rather than outgoing malicious traffic (ATP)?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • I think it's in that log because the Snort engine is what's used to check for this, Kevin.  ATP looks at traffic in both directions.  I don't ever recall seeing anything written to the ATP log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA