Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 116739 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

INDICATOR-COMPROMISE Suspicious .tk dns query

jdmoore0883

So I am getting emails about some bad DNS queries:

"INDICATOR-COMPROMISE Suspicious .tk dns query"

I have looked in to this, and for the most part, these are "legit" drops, but not ALL are...

Myself, I have signed up for a free .tk domain, and set it to my external IP, but I cannot resolve my domain to an IP because of these drops.


How can I "whitelist" MY .tk domain, while still blocking the others?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to SteveHart

    you could try to edit this file:

    /etc/snort/rules/astaro.rules


    Remove this line:

    drop udp $HOME_NET any -> any 53 (msg:"D INDICATOR-COMPROMISE Suspicious .tk dns query " group="241"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|tk|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:39867;)

    I don't know how long this lasts, probably until next pattern update...

  • 0 in reply to SteveHart

    I am encountering this as well.  My anti-spam appliance is being blocked from some DNS lookups of potentially malicious domains, specifically those ending in .tk.  I'm trying to come up with a way to allow the traffic, without disabling too many features in the IPS module.  Of course the question is, do I even want to allow my anti-spam appliance doing DNS lookups of potentially malicious sites?  Nevertheless, here is what I came up with.  Anyone know if this would work?

     

    Under Network Protection > Intrusion Prevention > Exceptions

    Create a New Exceptions List with the following settings:

    Skip These Checks: Intrusion Prevention

    For All Request Coming From: Anti-Spam Appliance

    And Using These Services: DNS

     

    Regards,

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

  • +1 in reply to candal02

    That should do what you want.

    Here's a nifty trick that others can use to block all DNS inquiries to the .tk TLD: Block a TLD

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob, I am having the same issue with the .tk domain that keeps triggering the IPS. On your nifty trick, do I just use the IP address triggered by the IPS or is there a way to block the domain itself? I already have a DNAT in place to block IP addresses but I feel its not working. You seem to be the go-to-guy in all the forums I read and your thoughts have really helped me.

    Thanks

     

    Gino.

  • 0 in reply to Gino Solano

    Hi, Gino, and welcome to the UTM Community!

    Thanks for the vote of confidence!

    Just follow the link in my post above to which you replied.  That effectively blocks the entire domain.  The IP in the Network definition is a dummy one, so no lookups can be made for the top level domain.  Just replace "ru" with "tk" in the definition.  If you also want to block ru, then just add tk to 'Additional Hostnames'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML