I know that there are some topics around this, but most of them are a little bit older.
At one customer I am getting the above IPS notifications because something is trying to resolve a .win top level domain. What I do not understand is why the IPS is catching this and not ATP. Source of the blocked packet is the domain controller in the internal network, the destination was 1) the UTM, 2) one of the root hint servers and 3) another root hint.
The DNS configuration is configured as follows: forwarding server of the internal DNS servers is the UTM, on the UTM no outside DNS-servers are configured, it uses the root hint servers. The checkbox "use root..." in the windows DNS servers forwarding tab is selected, but I would have interpreted it like "use only if NO forwarding...".
So my questions are:
- why does IPS concern about it and not ATP?
- THAT the UTM blocks the .win lookup is OK, but why does that result in the DNS server trying it for itself?
This thread was automatically locked due to age.