Hello,
I noticed some alerts in Advanced Threat Protection. I think that it should be related to some DNS security issues. This is my scenario:
I have a local DC in which runs a DNS server, which uses UTM as DNS forwarder.
I configured DNS service in my UTM to only accept queries from internal interfaces. I configured also two dns request route:
1.168.192.in-addr.arpa directed to internal DNS domain controller
mydomain.local directed to to internal DNS domain controller
These are the entries in ATP log file:
2017:01:27-12:31:21 FIREWALL named[4651]: rpz: client INTERNAL_DNS_SERVER_IP_ADDRESS#53779 (ns1.broadbandplusmedia.net): view default: rpz QNAME NXDOMAIN rewrite ns1.broadbandplusmedia.net via ns1.broadbandplusmedia.net.rpz
2017:01:27-12:31:21 FIREWALL named[4651]: rpz: client INTERNAL_DNS_SERVER_IP_ADDRESS#53310 (ns2.broadbandplusmedia.net): view default: rpz QNAME NXDOMAIN rewrite ns2.broadbandplusmedia.net via ns2.broadbandplusmedia.net.rpz
These are some entries in DC DNS server log file:
27/01/2017 12:31:21 0C88 PACKET 000000000CA9C240 UDP Rcv 50.7.0.95 735c R Q [1080 NOERROR] PTR (2)50(2)82(2)16(3)198(7)in-addr(4)arpa(0)
27/01/2017 12:31:21 0C88 PACKET 000000000B667900 UDP Snd UTM_IP_ADDRESS 01c7 Q [1001 D NOERROR] A (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET 0000000007FD8020 UDP Rcv UTM_IP_ADDRESS 01c7 R Q [9381 DR NXDOMAIN] A (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET 000000000B667900 UDP Snd 192.5.6.30 a12f Q [1000 NOERROR] A (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET 000000000BEBE940 UDP Rcv 50.7.0.95 11a7 R Q [0080 NOERROR] PTR (2)42(2)82(2)16(3)198(7)in-addr(4)arpa(0)
27/01/2017 12:31:21 0C88 PACKET 0000000004A5A130 UDP Snd UTM_IP_ADDRESS b7c4 Q [1001 D NOERROR] A (3)ns2(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET 000000000E5C8DB0 UDP Rcv UTM_IP_ADDRESS b7c4 R Q [9381 DR NXDOMAIN] A (3)ns2(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET 0000000004A5A130 UDP Snd 192.5.6.30 d847 Q [0000 NOERROR] A (3)ns2(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET 000000000E1121D0 UDP Rcv 192.5.6.30 a12f R Q [1080 NOERROR] A (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET 000000000422BFD0 UDP Rcv 192.5.6.30 d847 R Q [0080 NOERROR] A (3)ns2(18)broadbandplusmedia(3)net(0)
As you may see it seems that external addresses contact dicrectly my local DNS server, I cannot understand how is it possible since UTM is not exposed to external DNS queries.
Any suggestion?
Thanks
This thread was automatically locked due to age.